CVE-2023-48788:

SQL injection vulnerability (CWE-89) in Fortinet FortiClientEMS allows remote attackers to execute arbitrary commands via specially crafted network packets, affecting FortiClientEMS versions 7.2.0–7.2.2 and 7.0.1–7.0.10; fixed in 7.2.3 and 7.0.11.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Mar 12, 2024
CISA KEV Date:Mar 25, 2024
Industries Affected:20

Armis Early Warning:

13 Days

Threat Predictions

EPSS Score:94.1
EPSS Percentile:100%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

Fortinet FortiClientEMS has a SQL injection vulnerability (CWE-89) that can be exploited remotely over the network by a remote attacker through specially crafted packets. The vulnerability requires no user interaction and does not require privileges, and successful exploitation can result in unauthorized code or command execution on the EMS server, compromising confidentiality, integrity, and availability. Affected versions are 7.2.0–7.2.2 and 7.0.1–7.0.10. The issue is classified as CRITICAL with CVSS v3.1 base score 9.3. Patches are available in 7.2.3+ and 7.0.11+.

Remediation

Upgrade FortiClientEMS to version 7.2.3 or later, or 7.0.11 or later.
After upgrading, verify the patch by attempting controlled tests to ensure exploitation is no longer possible.
Restrict EMS exposure: place EMS behind VPN or firewall rules, and limit access to trusted networks.
Monitor: follow Fortinet advisory FG-IR-24-007 and check the CISA Known Exploited Vulnerabilities Catalog for indicators of active exploitation.
Prepare for rollback: ensure current backups and a tested rollback plan are in place.
Additional hardening: enable logging and monitoring on EMS, and apply any environment-specific mitigations as recommended by your security team.