Fortinet has issued an advisory warning about a new critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software. This flaw, identified as CVE-2023-48788, has been assigned a severity score of 9.3 on the CVSS scale, underlining its potential for serious impact. Horizon3, a prominent team of security researchers, has disclosed a proof-of-concept (PoC) exploit, indicating that the vulnerability is theoretical and being actively exploited in real-world attacks.
The Nature of the Vulnerability
CVE-2023-48788 is a critical SQL injection flaw located within the DAS component of FortiClientEMS. The vulnerability stems from the software’s improper neutralization of particular elements used in SQL commands. This oversight allows an unauthenticated attacker to execute unauthorized code or commands through specially crafted requests. Exploiting this flaw can lead to complete system compromise data breaches, potentially enabling attackers to gain a foothold within the affected organization’s network.
Affected Versions and Remediation
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
| FortiClientEMS 7.0 | 7.0.1 through 7.0.10 | Upgrade to 7.0.11 or above |
The issue was initially reported by Thiago Santana from the FortiClientEMS development team and the UK National Cyber Security Centre (NCSC), prompting swift action by Fortinet to address this critical flaw.
Updated Advisory: Exploited in the Wild
Although Fortinet’s initial advisory reported no known instances of exploitation, the company has since updated its advisory to confirm that CVE-2023-48788 is indeed being exploited in active attacks. This revelation underscores the urgency for administrators to apply the necessary patches to mitigate the risk.
Technical Analysis and Indicators of Compromise
Horizon3’s Attack Team has published a detailed technical analysis of the vulnerability and a PoC exploit. Their findings show that while the database’s default configuration does not enable the xp_cmdshell command (often used for remote code execution), attackers could still execute it through additional SQL statements.
Administrators are advised to inspect various log files, particularly those located in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs, for any signs of unauthorized access or other indicators of compromise. The Microsoft SQL logs should also be reviewed for any evidence of the xp_cmdshell command being executed, which could indicate a successful exploitation.
Action Required
Given the severity of CVE-2023-48788 and its active exploitation, it is crucial for organizations running the affected versions of FortiClientEMS to upgrade to the patched versions immediately. Fortinet has also provided a virtual patch, “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection”, available in FMWP database update 27.750, as a temporary measure for those unable to upgrade immediately.