Fortinet has disclosed a critical vulnerability in its FortiClient Enterprise Management Server (EMS) that is being actively exploited by attackers in the wild. The flaw, tracked as CVE-2023-48788, allows unauthorized code execution through SQL injection. Kaspersky’s Global Emergency Response Team (GERT) identified the exploitation of this vulnerability during an incident response engagement in October 2024.
The attackers targeted a company’s internet-exposed Windows server running a vulnerable version of FortiClient EMS. The company uses FortiClient EMS to manage VPN access policies for employee devices. By exploiting the SQL injection flaw, the attackers were able to execute malicious commands on the server.
After gaining initial access, the attackers installed remote access tools like ScreenConnect and AnyDesk on the compromised system. They then used these tools to perform further malicious activities such as network scanning, credential theft, and establishing persistence. Kaspersky’s analysis revealed that the attackers dropped several malicious tools onto the server:
webbrowserpassview.exe – A password recovery tool for web browsers
netpass64.exe – Another password dumping utility
netscan.exe – A network scanning tool
The same threat actor is believed to have targeted companies across multiple countries including Brazil, France, India, Indonesia and others.
Fortinet’s critical FortiClient EMS vulnerability
They used different ScreenConnect subdomains for each victim. Fortinet had released patches for the CVE-2023-48788 vulnerability several months prior to these attacks.
However, the targeted company had not yet updated their FortiClient EMS software, leaving them exposed. Kaspersky detected additional exploitation attempts of the same vulnerability on October 23, 2024. In these cases, the attackers tried to execute a malicious PowerShell script to identify vulnerable targets.
Organizations using FortiClient EMS are strongly advised to update to the latest patched versions as soon as possible. They should also monitor for signs of compromise and unauthorized remote access tools on their systems. This incident highlights the importance of promptly patching known vulnerabilities, especially those in internet-facing systems.
Attackers are quick to weaponize flaws like CVE-2023-48788 to breach networks for malicious purposes.
