Fortinet warns of critical RCE bug in endpoint management software

Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers.

FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices.

The security flaw (CVE-2023-48788) is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.

It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and it allows unauthenticated attackers to gain RCE with SYSTEM privileges on unpatched servers in low-complexity attacks that don't require user interaction.

"An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," the company explained in a security advisory released on Tuesday.

Fortinet has not revealed if it has any evidence of CVE-2023-48788 being exploited in attacks before patching.

Horizon3's Attack Team confirmed the bug's critical severity today and said they'll publish proof-of-concept exploit code and a technical deep-dive next week.

On Tuesday, the company fixed another critical out-of-bounds write weakness (CVE-2023-42789) in the FortiOS and FortiProxy captive portal that could let an unauthenticated "inside attacker" remotely execute unauthorized code or commands on unpatched using maliciously crafted HTTP requests.

Two other high-severity flaws, an improper access control (CVE-2023-36554) in FortiWLM MEA for FortiManager and a CSV injection (CVE-2023-47534) in FortiClient EMS, patched this week, allow threat actors to execute arbitrary commands or code on vulnerable systems.

Last month, Fortinet disclosed a critical remote code execution (RCE) bug (CVE-2024-21762) in the FortiOS operating system and the FortiProxy secure web proxy, which the company tagged as "potentially being exploited in the wild."

One day later, CISA confirmed CVE-2024-21762's active exploitation one day later and ordered federal agencies to secure their FortiOS and FortiProxy devices within seven days.

Fortinet flaws are regularly exploited to breach corporate networks in ransomware attacks and cyber espionage campaigns (many times as zero days).

For instance, Fortinet revealed in February that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger custom remote access trojan (RAT) malware previously used to backdoor a military network of the Dutch Ministry of Defence.