TLDR:
- A critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software, tracked as CVE-2023-48788, is actively exploited in attacks.
- An SQL injection flaw in the DB2 Administration Server component allows unauthenticated threat actors to gain remote code execution (RCE) with SYSTEM privileges.
Security researchers have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software, tracked as CVE-2023-48788. This security flaw is an SQL injection in the DB2 Administration Server (DAS) component discovered and reported by the UK’s National Cyber Security Centre (NCSC). It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), enabling unauthenticated threat actors to gain remote code execution (RCE) with SYSTEM privileges on unpatched servers in low-complexity attacks that don’t require user interaction. Fortinet has released security updates to address the flaw, and security researchers with Horizon3’s Attack Team have published a technical analysis and shared a PoC exploit to confirm system vulnerability. Shodan and Shadowserver track hundreds of exposed FortiClient EMS servers online, with most in the United States. This latest RCE bug follows a critical RCE bug (CVE-2024-21762) in the FortiOS operating system and FortiProxy secure web proxy that was patched in February. Fortinet vulnerabilities are frequently exploited in ransomware attacks and cyber espionage campaigns.