Critical Fortinet EMS Flaw Fixed: Update Now!

Fortinet has released an update to rectify a critical vulnerability in the FortiClient Enterprise Management Server (EMS) software, which allowed attackers to remotely execute code on susceptible servers.

FortiClient EMS provides administrators with tools to manage devices within a corporate network and facilitates the installation of FortiClient and the configuration of security policies on Windows computers.

The identified vulnerability, designated CVE-2023-48788, involves an SQL injection in the DB2 Administration Server (DAS) component. The flaw was discovered by the UK’s National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.

This threat pertains to FortiClient EMS versions 7.0 (from 7.0.1 to 7.0.10) and 7.2 (from 7.2.0 to 7.2.2). The execution of the attack does not require user interaction and is relatively straightforward.

Fortinet has not disclosed whether evidence of CVE-2023-48788 being exploited in the wild was discovered before the patch’s release.

The Horizon3 team today confirmed the error’s critical severity and announced that next week they will publish exploit code for demonstration purposes and a detailed technical review.

On Tuesday, the company corrected another critical vulnerability—an error related to data writing beyond the bounds of an allocated array (CVE-2023-42789), found in the FortiOS and FortiProxy authentication system. This issue could allow unauthorized individuals already within the network to remotely execute arbitrary code or commands on devices without the latest updates by using specially crafted HTTP requests.

Two more vulnerabilities of high severity were recently addressed: improper access control (CVE-2023-36554) in FortiWLM MEA for FortiManager and CSV injection (CVE-2023-47534) in FortiClient EMS.

Last month, Fortinet disclosed a critical RCE vulnerability (CVE-2024-21762) in the FortiOS operating system and the FortiProxy secure web proxy, which the company labeled as “potentially exploitable in the wild.”

The following day, CISA confirmed the active exploitation of CVE-2024-21762 and ordered federal agencies to secure their FortiOS and FortiProxy devices within seven days.

Fortinet vulnerabilities are regularly exploited for infiltrating corporate networks in ransomware attacks and espionage operations, often as zero days.

For instance, in February, Fortinet reported that the Chinese hacking group Volt Typhoon utilized two SSL VPN vulnerabilities in FortiOS (CVE-2022-42475 and CVE-2023-27997) to deploy the RAT Coathanger, previously used to create a backdoor in the Dutch Ministry of Defense’s network.