Critical Fortinet RCE Bug Exploited in Attacks: Security Researchers Release PoC Exploit

March 21, 2024

Security researchers have publicized a proof-of-concept (PoC) exploit for a severe vulnerability found in Fortinet's FortiClient Enterprise Management Server (EMS) software. This flaw is currently being exploited in active attacks. Identified as CVE-2023-48788, this security issue is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC). The vulnerability affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). It allows unauthenticated individuals to gain remote code execution (RCE) with SYSTEM privileges on unpatched servers in low-complexity attacks that do not require user interaction.

Fortinet explained in a security advisory released last week, 'An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.' Initially, Fortinet did not disclose that CVE-2023-48788 was being exploited in attacks, but it has since quietly updated the advisory to confirm that the 'vulnerability is exploited in the wild.'

A week after Fortinet released security updates to address the flaw, researchers with Horizon3's Attack Team published a technical analysis and shared a PoC exploit that can verify if a system is vulnerable without providing remote code execution capabilities. Those wishing to use Horizon3's exploit code in RCE attacks must alter the PoC to use the Microsoft SQL Server xp_cmdshell procedure to initiate a Windows command shell for code execution. 'To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,' said Horizon3 vulnerability researcher James Horseman. 'Initially, the database was not configured to run the xp_cmdshell command, however it was trivially enabled with a few other SQL statements.'

Over 440 FortiClient Enterprise Management Server (EMS) servers exposed online are currently tracked by Shodan, while the Shadowserver threat monitoring service discovered more than 300, with the majority located in the United States. In February, Fortinet patched another critical RCE bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy, suggesting it was 'potentially being exploited in the wild.' However, the next day, CISA confirmed that the CVE-2024-21762 bug was being actively exploited and instructed federal agencies to secure their FortiOS and FortiProxy devices within a week. It's important to note that Fortinet security vulnerabilities are often exploited to gain unauthorized access to corporate networks for ransomware attacks and cyber espionage campaigns, frequently using zero-day exploits.

Related News

• Fortinet Addresses Critical Vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS
• Critical Vulnerability in Fortinet Systems Could Affect 150,000 Devices
• Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA
• Critical Remote Code Execution Vulnerability Detected in Fortinet's SSL VPN

Latest News

• Rise in Ransomware, Cryptomining, and RAT Attacks Due to TeamCity Vulnerability
• Russian Hackers Launch Widespread Cyberattacks Targeting Global Intelligence
• Chinese APT Earth Krahang Compromises 48 Government Entities Globally
• Proof of Concept Exploit for Severe RCE in Fortra FileCatalyst Tool Publicly Available
• APT28 Cyber Threat Group Expands Phishing Campaigns Globally