Fortinet Alerts Users to Critical Security Vulnerability in FortiClientEMS
Fortinet has issued a significant warning regarding a critical vulnerability affecting its FortiClientEMS software. This flaw poses a serious risk as it potentially enables attackers to execute arbitrary code on compromised systems, raising alarms for businesses relying on this software for endpoint management.
The vulnerability, identified as CVE-2023-48788, is attributed to improper handling of special elements in SQL commands, commonly referred to as SQL Injection (CWE-89). As detailed in Fortinet’s advisory, this weakness allows unauthenticated attackers to execute unauthorized commands through specifically designed requests, a situation that could lead to full system compromise if exploited. The issue has received a high CVSS score of 9.3 out of 10, indicating its severity.
This vulnerability impacts multiple versions of FortiClientEMS, specifically versions 7.2.0 to 7.2.2 and 7.0.1 to 7.0.10. Users are advised to upgrade to the latest versions—7.2.3 or above for the former, and 7.0.11 or above for the latter—to mitigate the risk. Horizon3.ai, a cybersecurity firm, plans to release additional information, including a proof-of-concept exploit, which could further elucidate the implications of this vulnerability.
Also of concern, Fortinet has addressed two additional critical vulnerabilities in its FortiOS and FortiProxy products that exhibit similar risks. These flaws enable attackers with access to the captive portal to execute arbitrary commands via specially crafted HTTP requests, further emphasizing the need for immediate software upgrades across affected Fortinet products.
While Fortinet has not confirmed any known active exploitation of these vulnerabilities, there is a history of unpatched Fortinet appliances being targeted in the wild. This ongoing risk underlines the importance for users to act without delay in implementing the necessary updates.
In a separate report, Horizon3.ai has highlighted that two vulnerabilities related to FortiWLM and FortiSIEM remain unaddressed despite being reported last year. These issues involve unauthenticated log file access, which could allow attackers to retrieve sensitive session ID tokens, raising additional concerns about the security posture of Fortinet’s offerings.
As concerns escalate over CVE-2023-48788, Fortinet has updated its advisory to reflect that the vulnerability is actively being exploited. However, specific details remain sparse, including information about the attackers and their methods. Horizon3.ai has also provided a proof-of-concept demonstrating the vulnerability, pointing out that it arises from user-controlled strings directly entering database queries.
This situation underscores potential operations reminiscent of tactics found in the MITRE ATT&CK framework, particularly in areas related to initial access and privilege escalation. Attackers exploiting this SQL injection vulnerability could gain unauthorized access, elevating their privileges within the system and carrying out malicious activities.
Business owners should remain vigilant and proactive regarding these vulnerabilities and their implications, ensuring that all affected software is updated promptly to minimize risk exposure in an increasingly hostile cybersecurity landscape.
