Critical Remote Code Execution Vulnerability in Fortinet Patched

March 14, 2024

Fortinet has rectified a critical remote code execution (RCE) vulnerability in its FortiClient Enterprise Management Server (EMS), a system used for managing endpoint devices. The vulnerability, tagged as CVE-2024-48788, originates from an SQL injection error in a direct-attached storage component of the server. This flaw could allow unauthenticated attackers to execute arbitrary code and commands with system admin privileges on affected systems, by using specially crafted requests.

The severity of the vulnerability was rated 9.3 out of 10 on the CVSS rating scale by Fortinet and was assigned a near maximum score of 9.8 by the National Vulnerability Database. The flaw affects multiple versions of FortiClientEMS 7.2 and FortiClientEMS 7.0. Fortinet has recommended organizations using affected versions to upgrade to the newly patched FortiClientEMS 7.2.3 or above, or to FortiClientEMS 7.0.11 or above.

The flaw was discovered by a researcher from Fortinet's FortiClientEMS development team and the United Kingdom's National Cyber Security Center (NCSC). However, the company's advisory didn't provide extensive details on the vulnerability. Researchers at Horizon3.ai, who have reported multiple previous bugs in Fortinet technologies, announced they would release indicators of compromise, a proof-of-concept (PoC) exploit, and technical details of the bug in the following week. As of now, there have been no reports of exploit activity in the wild targeting this flaw.

Tenable, in an advisory about CVE-2024-48788, warned that Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019. The security vendor highlighted examples such as CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple versions of Fortinet's FortiOS and FortiProxy technology, and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies.

Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years. Warnings about these flaws have been issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others. These warnings highlighted the efforts of Volt Typhoon and other China-backed threat groups to break into and maintain persistent access on US critical infrastructure networks.

In a separate development, Horizon3.ai disclosed more details on 16 flaws they reported to Fortinet in 2023 — all but two of which the company has already patched. These flaws affect Fortinet's Wireless LAN Manager (WLM) and FortiSIEM technologies and include SQL injection issues, command injection flaws, and those that enable arbitrary file reads. Among the vulnerabilities highlighted by Horizon3.ai are CVE-2023-34993, CVE-2023-34991, CVE-2023-42783, and CVE-2023-48782.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.