Security researchers have just released a POC that allows hackers to easily break into certain versions of Fortinet’s FortiClient enterprise software. This critical vulnerability, dubbed CVE-2023-48788, enables complete remote control over vulnerable servers without any user interaction required.
The flaw represents an SQL injection bug in the database component of FortiClient Enterprise Management Server (EMS) versions 7.0.1 through 7.0.10 and 7.2.0 through 7.2.2. By sending maliciously crafted requests, hackers can inject malicious SQL commands and ultimately run any code they want on the vulnerable server with full system privileges.
Fortinet has already released software updates to plug this gaping hole, but confirmed the flaw is now being actively exploited by threat actors. Just one week after patches were made available, cybersecurity firm Horizon3 published an analysis showing how simple it is to check if a server is vulnerable using their proof-of-concept code. They even explain how minor tweaks can turn it into a full remote code execution exploit. The POC is currently published online.
Internet scanning services like Shodan show hundreds of FortiClient EMS servers are currently exposed online, primarily in the United States, making them prime targets for these newly published attacks. Urgent action is needed to update vulnerable FortiClient EMS installations immediately.
This is far from the first time major cybersecurity holes have exposed Fortinet’s enterprise products. Just in February, a separate critical flaw in FortiOS and FortiProxy also required emergency patching as active exploitation was detected. Unfortunately, Fortinet vulnerabilities are routinely weaponized by ransomware gangs and nation-state hackers due to their prevalence across corporate networks.
Clearly, Fortinet customers need to make patch management an utmost priority. Failing to keep their security products up-to-date leaves the door wide open for threat actors to compromise networks and systems through simple, widely published exploits like this one for CVE-2023-48788. Don’t wait – update your Fortinet deployments now
