Patch Now: Critical Fortinet RCE Bug Under Active Attack

A proof-of-concept exploit released last week has spurred attacks on the vulnerability, which the CISA has flagged as an urgent patch priority.

As expected,
cyberattackers have pounced
on a critical remote code execution (RCE)
vulnerability in the Fortinet Enterprise Management Server (EMS)
that was patched last week, allowing them to execute arbitrary code and commands with system admin privileges on affected systems.
The flaw, tracked as
CVE-2023-48788
with a 9.3 out of 10 CVSS vulnerability-severity score, was one of three that the Cybersecurity and Infrastructure Security Agency (CISA) on March 25 added to its
Known Exploited Vulnerabilities Catalog
, which keeps track of security vulnerabilities under active exploit. Fortinet, which
warned users of the flaw
as well as patched it earlier this month, also quietly updated its
security advisory
to note its exploitation.
Specifically, the flaw is found in FortiClient EMS, the VM version of FortiClients central management console. It stems from an
SQL injection error
in a direct-attached storage component of the server and is spurred by communications between the server and endpoints attached to it.
An improper neutralization of special elements used in an SQL Command ... vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests, according to Fortinets advisory.
The current exploitation of the flaw follows the release last week of a
proof-of-concept (PoC)
exploit code as well as an analysis by
researchers at Horizon.ai
detailing how the flaw can be exploited.
Horizon.ai researchers discovered that the flaw lies in how the servers main service responsible for communicating with enrolled endpoint clients — FcmDaemon.exe — interacts with those clients. By default, the service listens on port 8013 for incoming client connections, which the researchers used to develop the PoC.
Other components of the server that interact with this service are a data access server, FCTDas.exe, which is responsible for translating requests from various other server components into SQL requests to then interact with the Microsoft SQL Server database.
To go about exploiting the flaw, Horizon.ai researchers first established what typical communications between a client and the FcmDaemon service should look like by configuring an installer and deploying a basic endpoint client.
We found that normal communications between an endpoint client and FcmDaemon.exe are encrypted with TLS, and there didnt seem to be an easy way to dump TLS session keys to decrypt the legitimate traffic, Horizon.ai exploit developer James Horseman explained in the post.
The team then gleaned details from the services log about the communications, which provided the researchers enough information to write a Python script to communicate with the FcmDaemon. After some trial and error, the team was able to examine the message format and enable meaningful communication with the FcmDaemon service to trigger an SQL injection, Horseman wrote.
We constructed a simple sleep payload of the form AND 1=0; WAITFOR DELAY 00:00:10 -- , he explained in the post. We noticed the 10-second delay in response and knew that we had triggered the exploit.
To turn this SQL injection vulnerability into an RCE attack, the researchers used the built-in xp_cmdshell functionality of Microsoft SQL Server to create the PoC, according to Horseman. Initially, the database was not configured to run the xp_cmdshell command; however, it was trivially enabled with a few other SQL statements, he wrote.
Its important to note that the PoC only confirms the vulnerability by using a simple SQL injection without xp_cmdshell; for an attacker to enable RCE, the PoC must be altered, Horseman added.
Fortinet bugs are popular targets
for attackers, as Chris Boyd, staff research engineer at security firm
Tenable warned in his advisory
about the flaw originally published on March 14. He cited as examples several other Fortinet flaws — such as
CVE-2023-27997,
a critical heap-based buffer overflow vulnerability in multiple Fortinet products, and
CVE-2022-40684,
an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies — that were
exploited by threat actors
. In fact, the latter bug was even sold for the purpose of giving attackers initial access to systems.
As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including
advanced persistent threat (APT) actors
and nation-state groups, we highly recommend remediating this vulnerability as soon as possible, Boyd wrote in an update to his advisory after the Horizon.ai release.
Fortinet and the CISA also are urging clients who didnt use the window of opportunity between the initial advisory and the release of the PoC exploit to
patch servers
vulnerable to this latest flaw immediately.
To help organizations identify if the flaw is under exploitation, Horizon.ais Horseman explained how to identify indicators of compromise (IoCs) in an environment. There are various log files in C:Program Files (x86)FortinetFortiClientEMSlogs that can be examined for connections from unrecognized clients or other malicious activity, he wrote. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Patch Now: Critical Fortinet RCE Bug Under Active Attack