Fortinet Warns of Yet Another Critical RCE Flaw

CVE-2024-48788, like many other recent Fortinet flaws, will likely be an attractive target, especially for nation-state-backed actors.

Fortinet has patched a critical remote code execution (RCE) vulnerability in its FortiClient Enterprise Management Server (EMS) for managing endpoint devices.
The flaw, identified as
CVE-2024-48788
, stems from an SQL injection error in a direct-attached storage component of the server. It gives unauthenticated attackers a way to execute arbitrary code and commands with system admin privileges on affected systems, using specially crafted requests.
Fortinet gave the vulnerability a severity rating of 9.3 out of 10 on the CVSS rating scale and the National Vulnerability Database itself has assigned it a near maximum score of 9.8. The flaw is present in multiple versions of FortiClientEMS 7.2 and FortiClientEMS 7.0, and Fortinet advises organizations using affected versions to upgrade to the newly patched FortiClientEMS 7.2.3 or above, or to FortiClientEMS 7.0.11 or above.
The vendor credited a researcher from its FortiClientEMS development team and the United Kingdoms National Cyber Security Center (NCSC) for discovering the flaw.
The company’s advisory offered scant details on the vulnerability. But researchers at Horizon3.ai who have reported multiple previous bugs in Fortinet technologies this week said they would
release indicators of compromise
, a proof-of-concept (PoC) exploit, and technical details of the bug next week.
So far, there have been no reports of exploit activity in the wild targeting the flaw. But that could quickly change when details of the bug and the PoC become available next week, meaning organizations have a relatively small window of opportunity to address the vulnerability before attacks begin.
Fortinet devices have been frequently targeted by attackers with several noteworthy flaws observed since 2019, Tenable
warned in an advisory about CVE-2024-48788
. As examples, the security vendor pointed to
CVE-2023-27997,
a critical heap-based buffer overflow vulnerability in multiple versions of Fortinets FortiOS and FortiProxy technology, and
CVE-2022-40684,
an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies that a threat actor sold for initial access purposes.
Other vulnerabilities in Fortinet devices have
attracted the attention of multiple nation-state threat actors
and
ransomware groups like Conti
. Fortinet vulnerabilities have been included as
part of the top routinely exploited vulnerability lists
in recent years, Tenable said.
Fortinet vulnerabilities have also featured in warnings from the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others about flaws that
nation-stated-backed threat actors
have frequently exploited in their campaigns. The most recent of these warnings pertained to efforts by Volt Typhoon and other China-backed threat groups to break into and
maintain persistent access
on
US critical infrastructure networks
.
Meanwhile, in a separate development, researchers at Horizon3.ai this week publicly
disclosed more details on 16 flaws
they reported to Fortinet in 2023 — all but two of which the company has already patched. The flaws — some of which Horizon described as critical — affect Fortinets Wireless LAN Manager (WLM) and FortiSIEM technologies. The vulnerabilities include SQL injection issues, command injection flaws, and those that enable arbitrary file reads.
Among the vulnerabilities that Horizon3.ai highlighted in its blog this week are
CVE-2023-34993
;
CVE-2023-34991
;
CVE-2023-42783
; and
CVE-2023-48782
.
According to Horizon3.ai, CVE-2023-34993 allows an unauthenticated attacker to execute arbitrary code on affected endpoints using specially crafted requests. CVE-2023-34991 is an unauthenticated SQL injection vulnerability that gives attackers a way to access and abuse a built-in image listing function in Fortinet WLM; CVE-2023-48782 is a command injection flaw; and CVE-2023-42783 enables an unauthenticated attack to do arbitrarily read files on affected systems.
Horizon3.ai identified the two vulnerabilities that remain unpatched as of March 13, 2024, as an unauthenticated limited log file read bug and a static session ID vulnerability.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fortinet Warns of Yet Another Critical RCE Flaw