Full Report
A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect. The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted
Analysis Summary
# Vulnerability: Critical SQL Injection in Fortinet FortiClient EMS Leading to Remote Access Tool Deployment
## CVE Details
- CVE ID: CVE-2023-48788
- CVSS Score: 9.3 (Critical)
- CWE: SQL Injection (CWE-89)
## Affected Systems
- Products: Fortinet FortiClient EMS
- Versions: Not explicitly listed in detail, but the vulnerability affects systems where the patch was not yet applied.
- Configurations: Affects Windows servers running FortiClient EMS that are exposed to the internet with associated open ports.
## Vulnerability Description
The vulnerability is a critical SQL Injection (SQLi) flaw (CVE-2023-48788) in Fortinet FortiClient EMS. An unauthenticated attacker can send specially crafted data packets to the affected server, leading to unauthorized SQL command execution. This flaw was used as an initial access vector.
## Exploitation
- Status: **Exploited in the wild** (As of October 2024 reports).
- Complexity: Implied Low to Medium, as the attack leveraged internet-exposed servers.
- Attack Vector: Network (Requires unpatched EMS server exposed to the internet).
The exploitation chain involved:
1. Initial access via CVE-2023-48788 to execute remote code.
2. Deployment of a ScreenConnect executable to gain remote access.
3. Subsequent deployment of additional payloads, including AnyDesk, for persistence, reconnaissance (network scanning, credential dumping via tools like Mimikatz, WebBrowserPassView, and NetPass64), and lateral movement within the network.
The threat actors targeted companies globally, including in Brazil, France, India, and the UAE.
## Impact
- Confidentiality: **High** (Credential dumping and file access via remote access tools).
- Integrity: **High** (Ability to upload and execute arbitrary payloads and gain full control).
- Availability: **High** (Potential for system disruption following initial compromise).
## Remediation
### Patches
- The vulnerability is described as **"now-patched."** Specific patch versions for CVE-2023-48788 should be referenced from official Fortinet advisories (Note: The summary text does not list the specific fixed versions). *Affected users must consult Fortinet advisories for the specific patched releases.*
### Workarounds
- The article does not explicitly list vendor-provided workarounds, but based on the attack vector, limiting external/internet exposure of the FortiClient EMS management server is a critical mitigating step.
## Detection
- Indicators of Compromise (IoCs) include file activity related to the deployment of known remote access tools:
- ScreenConnect executables.
- AnyDesk remote control tool installation.
- Presence of post-exploitation tools: `webbrowserpassview.exe`, `Mimikatz`, `netpass64.exe`, `netscan.exe`.
- Detection methods should focus on monitoring the FortiClient EMS servers for unusual command execution or unexpected ingress activity on associated ports. Network scanning and unexpected network connections originating from the EMS server should be treated as high fidelity alerts.
## References
- Vendor advisories (Search required for specifics on CVE-2023-48788 patch details).
- Relevant links - defanged:
- hxxps://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046/
- hxxps://thehackernews.com/2024/03/cisa-alerts-on-active-exploitation-of.html (Link provided referring to the CVE)