Critical Fortinet Vulnerability Disclosed

THE THREAT

On March 12th, Fortinet issued a warning regarding a critical security flaw in its FortiClientEMS software. The vulnerability, identified as CVE-2023-48788 (CVSS: 9.8), is a SQL injection flaw. Exploitation would allow an unauthenticated threat actor to execute code or commands remotely through specifically crafted requests, enabling initial access into organizations and allowing for follow-on activity such as malware deployment.

eSentire is aware of claims that Proof-of-Concept (PoC) exploit code and other technical details for CVE-2023-48788 will be publicly released next week (March 18th-22nd). It is critical that organizations apply the relevant security patches prior to the release of PoC exploit code, as this release will significantly increase the likelihood of real-world exploitation.

The eSentire Threat Intelligence team assesses that exploitation of CVE-2023-48788 will occur in the near future, raising the criticality of quickly addressing this vulnerability.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) will add the relevant plugins as they become available
• eSentire’s Threat Response Unit (TRU) is actively tracking this vulnerability for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches immediately
  • CVE-2023-48788 impacts the following versions:
    • FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
    • FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)

Additional information

CVE-2023-48788 stems from an improper neutralization of special elements in an SQL Command (SQL Injection). Organizations are strongly recommended to update all impacted Fortinet devices to the most recent version as soon as possible. Alternative mitigations are not currently available.

Horizon3.ai has stated that they will release technical details and PoC exploit code for this vulnerability next week. The release of PoC code significantly lowers the barriers for vulnerability exploitation and allows even low-skilled threat actors to exploit complex vulnerabilities.

Fortinet vulnerabilities have a history of being exploited by threat actors. Most recently, on February 9th, a Remote Code Execution vulnerability in Fortinet FortiOS, tracked as CVE-2024-21762 (CVSS: 9.8), was added to CISA’s Known Exploited Vulnerability (KEV) catalog. Past exploitation may indicate that threat actors are already familiar with the platform and have an interest in targeting these devices.

The release of technical details and PoC exploit code significantly increases the likelihood of this vulnerability being exploited in real-world attacks. The eSentire Threat Intelligence team assesses that it is highly probable that real-world exploitation of CVE-2023-48788 will occur in the near future.

References:

[1] https://fortiguard.fortinet.com/psirt/FG-IR-24-007
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-48788
[3] https://twitter.com/Horizon3Attack/status/1767965754744312161