A critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software has been discovered and is currently being actively exploited in attacks. Security researchers have released a proof-of-concept (PoC) exploit for this vulnerability.
Fortinet RCE Bug CVE-2023-48788
Tracked as CVE-2023-48788, the Fortinet RCE Bug is an SQL injection in the DB2 Administration Server (DAS) component, which was reported by the UK’s National Cyber Security Centre (NCSC). It affects versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2) of FortiClient EMS.
Exploiting this vulnerability allows unauthenticated threat actors to execute remote code with SYSTEM privileges on unpatched servers. Notably, these attacks can be carried out with low complexity and do not require user interaction.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,”
While the company didn’t initially mention that Fortinet RCE Bug CVE-2023-48788 was being used in attacks, it has since silently updated the advisory to say that the “vulnerability is exploited in the wild.”
Fortinet explains in a security advisory released last week.
Following the release of security updates by Fortinet to address the Fortinet RCE flaw, Horizon3’s Attack Team, security researchers, have published a technical analysis and shared a proof-of-concept (PoC) exploit.
This exploit helps determine if a system is vulnerable but does not provide remote code execution capabilities.
However, for those who intend to utilize Horizon3’s exploit code for remote code execution attacks, they would need to modify the PoC to utilize the Microsoft SQL Server xp_cmdshell procedure.
This modification allows for the spawning of a Windows command shell, enabling code execution.
“To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server,”
“Initially, the database was not configured to run the xp_cmdshell command, however it was trivially enabled with a few other SQL statements.”
Horizon3 vulnerability researcher James Horseman said.
According to Shodan and the Shadowserver threat monitoring service, there are currently more than 440 FortiClient Enterprise Management Server (EMS) servers exposed online, with over 300 of them located in the United States.
In February, Fortinet addressed another critical remote code execution (RCE) vulnerability (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy.
Fortinet acknowledged that this vulnerability was potentially being exploited in the wild. However, the very next day, CISA (Cybersecurity and Infrastructure Security Agency) confirmed active exploitation of the CVE-2024-21762 vulnerability and issued a directive for federal agencies to secure their FortiOS and FortiProxy devices within seven days.
It is worth noting that Fortinet security vulnerabilities are frequently exploited to gain unauthorized access to corporate networks for ransomware attacks and cyber espionage campaigns, often utilizing zero-day exploits.
