Administrators need to take measures to protect corporate systems.
Horizon3 security researchers have released a PoC exploit of the critical Fortinet FortiClient EMS vulnerability, which is currently being actively exploited by hackers.
The SQL injection vulnerability CVE-2023-48788 (CVSS score: 9.8) is contained in the DB2 Administration Server (DAS) component and affects FortiClient EMS versions 7.0 (7.0.1 to 7.0.10) and 7.2 (7.2.0 to 7.2.2), allowing an unauthenticated attacker to perform Remote Code Execution (RCE) from a remote source. with SYSTEM rights without user interaction.
Initially, it was not reported whether Fortinet found evidence of using the bug in the attack, but in the latest security bulletin, the company clarified that the vulnerability is exploited in real-world conditions.
A week after the release of the Fortinet patches, security researchers from the Horizon3 team published a technical analysis and shared a Proof-of-Concept (PoC) exploit that confirms the vulnerability without providing remote code execution capabilities.
For the PoC exploit to work in RCE attacks, you need to modify the PoC to use the xp_cmdshell procedure in Microsoft SQL Server to create a Windows command shell for executing code.
Shodan and Shadowserver mark more than 440 and 300 FortiClient EMS servers available on the Internet, respectively, most of which are located in the United States.
It is worth noting that vulnerabilities in Fortinet products are often used to gain unauthorized access to corporate networks in order to conduct attacks using ransomware and cyber espionage, including using zero-day exploits.
Horizon3 security researchers have released a PoC exploit of the critical Fortinet FortiClient EMS vulnerability, which is currently being actively exploited by hackers.
The SQL injection vulnerability CVE-2023-48788 (CVSS score: 9.8) is contained in the DB2 Administration Server (DAS) component and affects FortiClient EMS versions 7.0 (7.0.1 to 7.0.10) and 7.2 (7.2.0 to 7.2.2), allowing an unauthenticated attacker to perform Remote Code Execution (RCE) from a remote source. with SYSTEM rights without user interaction.
Initially, it was not reported whether Fortinet found evidence of using the bug in the attack, but in the latest security bulletin, the company clarified that the vulnerability is exploited in real-world conditions.
A week after the release of the Fortinet patches, security researchers from the Horizon3 team published a technical analysis and shared a Proof-of-Concept (PoC) exploit that confirms the vulnerability without providing remote code execution capabilities.
For the PoC exploit to work in RCE attacks, you need to modify the PoC to use the xp_cmdshell procedure in Microsoft SQL Server to create a Windows command shell for executing code.
Shodan and Shadowserver mark more than 440 and 300 FortiClient EMS servers available on the Internet, respectively, most of which are located in the United States.
It is worth noting that vulnerabilities in Fortinet products are often used to gain unauthorized access to corporate networks in order to conduct attacks using ransomware and cyber espionage, including using zero-day exploits.
