Cybersecurity researchers have uncovered active exploitation of a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS), tracked as CVE-2023-48788.

This flaw, stemming from improper filtering of SQL commands, allows attackers to execute unauthorized code or commands via SQL injection. Despite the availability of patches, threat actors have been leveraging this vulnerability to infiltrate enterprise networks globally.

CVE-2023-48788 affects FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2, with a critical Common Vulnerability Scoring System (CVSS) score of 9.8.

It enables unauthenticated attackers to exploit the system by sending specially crafted data packets, potentially leading to remote code execution (RCE). The vulnerability was disclosed in March 2024, with patches released in versions 7.0.11 and 7.2.3.

FortiClient EMS serves as a centralized platform for managing endpoint security policies, often exposed to the internet for remote access purposes.

This exposure increases the risk of exploitation, allowing attackers to establish initial access, conduct reconnaissance, and deploy malicious payloads.

FortiClient EMS Vulnerability Exploited in Wild

During an incident response in October 2024, Kaspersky’s Global Emergency Response Team (GERT) identified an attack on a Windows server using a vulnerable FortiClient EMS version (7.0.1).

The attackers gained access through SQL injection and deployed remote monitoring and management (RMM) tools like ScreenConnect and AnyDesk for persistence and lateral movement.

Artifacts revealed the use of tools such as mimikatz.exe for credential theft and HRSword.exe for defense evasion. Attackers also utilized native Windows binaries like certutil and curl to download additional payloads, furthering their control over compromised systems.

Threat intelligence indicates widespread exploitation of CVE-2023-48788 across multiple regions and industries. Attackers have been observed targeting vulnerable systems for data exfiltration, credential theft, and ransomware deployment. Notably, groups like Medusa ransomware have exploited this vulnerability for initial access.

Organizations using FortiClient EMS must urgently update to patched versions (7.0.11 or later, 7.2.3 or later) to mitigate risks. Additional security measures include:

• Restricting internet exposure of FortiClient EMS servers.
• Monitoring network traffic for signs of exploitation using intrusion detection systems (IDS).
• Implementing endpoint protection platforms (EPP) on all hosts.
• Configuring web application firewalls (WAF) to block malicious requests.
• Regularly reviewing system logs for suspicious activity.

This incident underscores the importance of timely patch management and robust cybersecurity practices to defend against evolving threats exploiting known vulnerabilities like CVE-2023-48788.