Fortinet has patched a critical remote code execution (RCE) vulnerability in its FortiClient Enterprise Management Server (EMS) for managing endpoint devices.
The flaw, identified as CVE-2024-48788, stems from an SQL injection error in a direct-attached storage component of the server. It gives unauthenticated attackers a way to execute arbitrary code and commands with system admin privileges on affected systems, using specially crafted requests.
Critical Severity Vulnerability
Fortinet gave the vulnerability a severity rating of 9.3 out of 10 on the CVSS rating scale and the National Vulnerability Database itself has assigned it a near maximum score of 9.8. The flaw is present in multiple versions of FortiClientEMS 7.2 and FortiClientEMS 7.0, and Fortinet advises organizations using affected versions to upgrade to the newly patched FortiClientEMS 7.2.3 or above, or to FortiClientEMS 7.0.11 or above.
The vendor credited a researcher from its FortiClientEMS development team and the United Kingdom’s National Cyber Security Center (NCSC) for discovering the flaw.
The company’s advisory offered scant details on the vulnerability. But researchers at Horizon3.ai who have reported multiple previous bugs in Fortinet technologies this week said they would release indicators of compromise, a proof-of-concept (PoC) exploit, and technical details of the bug next week.
So far, there have been no reports of exploit activity in the wild targeting the flaw. But that could quickly change when details of the bug and the PoC become available next week, meaning organizations have a relatively small window of opportunity to address the vulnerability before attacks begin.
Popular Attacker Target
“Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019,” Tenable warned in an advisory about CVE-2024-48788. As examples, the security vendor pointed to CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple versions of Fortinet’s FortiOS and FortiProxy technology, and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies that a threat actor sold for initial access purposes.
“Other vulnerabilities in Fortinet devices have attracted the attention of multiple nation-state threat actors and ransomware groups like Conti. Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerability lists in recent years,” Tenable said.
Fortinet vulnerabilities have also featured in warnings from the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others about flaws that nation-stated-backed threat actors have frequently exploited in their campaigns. The most recent of these warnings pertained to efforts by Volt Typhoon and other China-backed threat groups to break into and maintain persistent access on US critical infrastructure networks.
Two Unpatched Fortinet Bugs
Meanwhile, in a separate development, researchers at Horizon3.ai this week publicly disclosed more details on 16 flaws they reported to Fortinet in 2023 — all but two of which the company has already patched. The flaws — some of which Horizon described as critical — affect Fortinet’s Wireless LAN Manager (WLM) and FortiSIEM technologies. The vulnerabilities include SQL injection issues, command injection flaws, and those that enable arbitrary file reads.
Among the vulnerabilities that Horizon3.ai highlighted in its blog this week are CVE-2023-34993; CVE-2023-34991; CVE-2023-42783; and CVE-2023-48782.
According to Horizon3.ai, CVE-2023-34993 allows an unauthenticated attacker to execute arbitrary code on affected endpoints using specially crafted requests. CVE-2023-34991 is an unauthenticated SQL injection vulnerability that gives attackers a way to access and abuse a built-in image listing function in Fortinet WLM; CVE-2023-48782 is a command injection flaw; and CVE-2023-42783 enables an unauthenticated attack to do arbitrarily read files on affected systems.
Horizon3.ai identified the two vulnerabilities that remain unpatched as of March 13, 2024, as an unauthenticated limited log file read bug and a static session ID vulnerability.