FortiClient RCE Vulnerability (CVE-2024-48788) Affects Multiple Versions

Red alert warning light flashing

Oct 17, 2024 by Taylor Krieg

Updated October 17, 2024 by Megan Morgan

Fortinet SQL injection vulnerability CVE-2023-48788 has recently been in the news again. Although this vulnerability was first published back in March of 2024, The Shadowserver Foundation just announced on X/Twitter (1) that as of October 12th, they are still detecting over 87,000 IPs that continue to be affected by this critical vulnerability.

This is concerning because this vulnerability has been known for months to be exploited in the wild. Cyberscoop reported on Monday that the Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandate to all federal agencies that they must implement a fix to this vulnerability by October 30th, so we are now seeing governmental pressure to deal with this vulnerability and close this severe attack surface.

Here are the details that you need to know.

The affected product is FortiClient EMS.
The affected versions are 7.0.1 through 7.0.10, and 7.2.0 through 7.2.2.
The solution is to upgrade the product to either 7.0.11+ or 7.2.3+.

Initially, Fortinet forced out a virtual patch in an FMWP database update with version number 27.750. This patch is named “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection”. This was deemed by Fortinet to be a “mitigation” rather than a full fix to the vulnerability.

According to Fortinet, the patch reduced the attack surface but did not fully prevent the vulnerability from being exploited. So, you may have received that automatic patch but could still be vulnerable! The only vetted solution from Fortinet is to do the recommended firmware upgrade to the FortiClient EMS product.


Fortinet has addressed a critical vulnerability regarding remote code execution (RCE) in several versions of its FortiClient Enterprise Management Server (EMS), used for endpoint device management.

FortiClient CVE-2024-48788 Vulnerability

Fortinet

The vulnerability, CVE-2024-48788, stems from an SQL injection flaw in a direct-attached storage component of the server. This flaw allows unauthenticated attackers to run code and commands, giving them system admin privileges on affected systems via carefully crafted requests.

Fortinet rated the severity of the vulnerability at 9.3 on the CVSS rating scale, while the National Vulnerability Database assigned it a nearly maximum score of 9.8.

Affected Versions:

FortiClientEMS version 7.2.0 – 7.2.2
FortiClientEMS version 7.0.1 – 7.0.10

Solutions:

Upgrade to FortiCLientEMS 7.2.3 or above
Upgrade to FortiClientEMS 7.0.11 or above

We recommend updating any affected systems immediately. Fortinet has revisited its earlier advisory, now saying this vulnerability “is exploited in the wild,” and CISA has enlisted it in its Known Exploited Vulnerabilities (KEV) catalog. The situation has drastically evolved (and not for the better), mostly due to a recently released proof-of-concept (PoC) exploit where the technical details of this flaw were publicly disclosed.

The brief window of opportunity to address CVE-2024-48788 before attacks begin has closed. It is critical that you update your systems as soon as possible, along with doing the following:

Take Immediate Action

Organizations using FortiClient EMS should prioritize updating their systems to patched versions immediately to protect their systems from this specific threat.

Audit And Monitor

Beyond patching, it’s essential to audit and monitor systems continuously, especially those accessible via the internet, to detect and deter criminal activities.

Enhance Vigilance

Maintaining a robust defense strategy against expanding threats involves following advisories from trusted bodies like CISA, and staying educated on emerging cybersecurity threats.

Collaborate With Intelligence

Using information from cybersecurity companies can help businesses take action ahead of time and develop better ways to defend against cyberattacks.

If you need assistance updating your systems or have any additional questions about this vulnerability, please reach out to us.

If you’d like to learn more about this FortiClient vulnerability and how to protect your FortiClient appliances, please contact us by calling (502) 240-0404 or emailing info@mirazon.com

Press enter to search