What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Widespread Exploitation of Fortinet Vulnerability (CVE-2023-48788)

March 26, 2024 | 3 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

Beginning on March 24th, 2024, eSentire observed a significant increase in exploitation of  CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial access into organizations.

In incidents identified by eSentire, threat actors exploited CVE-2023-48788 for initial access into victim networks. After access was established, threat actors deployed persistence mechanisms, including reverse webshells and the ScreenConnect Remote Monitoring and Management (RMM) tool. Attacks were disrupted before threat actors completed their action on objectives, as such, final payloads have not been identified.

Exploitation of CVE-2023-48788 is now considered to be widespread. Based on observed tactics, the eSentire Threat Intelligence team assesses that it is highly probable, that if not addressed, attacks exploiting the vulnerability will result in ransomware deployment. Due to these considerations, immediate patching is critical, and all potentially impacted devices should be reviewed for signs of compromise.

What we’re doing about it

What you should do about it

Additional information

CVE-2023-48788 was initially disclosed by Fortinet on March 12th, 2024. On March 21st, Fortinet updated their advisory to add that exploitation in the wild had been observed; no additional details were shared at the time. On the same day, Horizon3.ai released technical details on the vulnerability as well as Proof-of-Concept (PoC) exploit code. The release of PoC exploit code significantly lowers the barriers for vulnerability exploitation and allows even low-skilled threat actors to exploit complex vulnerabilities. As of March 25th, CISA has added CVE-2023-48788 to the Known Exploited Vulnerabilities Catalog; government agencies have been given until April 15th, to ensure all impacted devices are remediated.

RMM tools, including ScreenConnect, are increasingly being misused by threat actors. Ransomware groups, such as LockBit, employ these tools to enable lateral movement and the targeting of downstream customers. These tools are beneficial to threat actors as they are not specifically malicious and are less likely to be detected compared to custom tools. For more information on the abuse of RMM tools by threat actors, see the October 2023 TRU Intelligence Briefing.

Based on eSentire observations, threat actors are now exploiting CVE-2023-48788 and using multiple methods to deliver the ScreenConnect RMM tool. The first method utilizes Windows Installer (MSI) files, PowerShell, and Finger, a client-server application that allows a user to interact with a finger server or “daemon,” to deliver the tool (Figures 1-2). The other method relies solely on an obfuscated PowerShell command to setup a backdoor which ultimately deploys the ScreenConnect tool (Figures 3-6). Figure 5 shows an updated version of Ben Turner’s & Dave Hardy’s Powerfun Script. A very similar script was observed by The DFIR Report in their article titled From ScreenConnect to Hive Ransomware in 61 hours. While eSentire has not observed ransomware deployment, as a result of CVE-2023-48788 exploitation, Fortinet vulnerabilities have been a common initial access vector for ransomware groups.

Figure 1. Fortinet FortiClientEMS (FcmDaemon.exe) accepted multiple connections from a threat actor-controlled IP
Figure 2. Post Compromise activity leading to ScreenConnect Deployment
Figure 3. Exploitation leading to the execution of an obfuscated PowerShell Command
Figure 4. Obfuscated PowerShell Command
Figure 5. Deobfuscated PowerShell Command
Figure 6. PowerShell leading to the deployment of ScreenConnect

Indicators of Compromise

185.56.83[.]82

Command and Control IP Address

95.179.241[.]10

ScreenConnect Hosting IP Address

References:

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-48788
[2] https://www.esentire.com/security-advisories/critical-fortinet-vulnerability-disclosed
[3] https://fortiguard.fortinet.com/psirt/FG-IR-24-007
[4] https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/
[5] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[6] https://www.esentire.com/resources/library/october-2023-tru-intelligence-briefing-on-demand
[7] https://github.com/davehardy20/PowerShell-Scripts/blob/master/Invoke-Powerfun.ps1
[8] https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
[9] https://www.esentire.com/blog/hackers-exploit-fortinet-devices-to-spread-ransomware-within-corporate-environments-warns-esentire

View Most Recent Advisories