A previously disclosed, critical flaw in Fortinet’s FortiClient Enterprise Management Server (FortiClientEMS) is now being actively exploited by threat actors, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
On March 12, Fortinet disclosed and issued a patch for the SQL injection flaw (CVE-2023-48788), which exists in FortiClientEMS, its central management solution for endpoints. Last week, Fortinet updated the security advisory to reflect that the flaw has been exploited in the wild, and on Monday, CISA added the flaw to its Known Exploited Vulnerabilities catalog.
“An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,” according to Fortinet in its initial advisory.
SQL injection flaws are a highly prevalent class of vulnerabilities, and CISA on Monday released a joint alert along with the FBI on this type of “persistent defect,” in response to exploitation of the longstanding MOVEit SQL injection flaw by various threat actors and ransomware gangs. In the alert, CISA urged executives at technology manufacturing organizations to review their code formally in order to determine whether it is susceptible to SQL injection compromises.
“If found vulnerable, senior executives should ensure their organizations’ software developers begin immediate implementation of mitigations to eliminate this entire class of defect from all current and future software products,” according to the alert.
Fortinet products have previously been targeted by threat actors. Last month, Fortinet released fixes for a critical remote code execution vulnerability in many versions of its FortiOS software that it said was “potentially being exploited in the wild.” The vulnerability (CVE-2024-21762) is an out-of-bounds write in the sslvpnd component of the software, and it affects FortiOS 6.0, 6.2, 6.4, 7.0, 7.2, and 7.4.
For this most recent flaw in FortiClientEMS, both Fortinet and security researchers advised customers to upgrade to versions 7.2.3 or above for FortiClientEMS 7.2 (versions 7.2.0 through 7.2.2 are impacted), and versions 7.0.11 or above for FortiClientEMS 7.0 (versions 7.0.1 through 7.0.10 are impacted).
“As exploit code has been released and with past abuse of Fortinet flaws by threat actors, including advanced persistent threat (APT) actors and nation-state groups, we highly recommend remediating this vulnerability as soon as possible,” said Chris Boyd with Tenable in a recent analysis of the flaw.