SQL injection vulnerability in Fortinet software under attack

A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA's Known Exploited Vulnerability catalog on Monday.

In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. Fortinet credited Thiago Santana, software development manager at Fortinet, and the U.K.'s National Cyber Security Centre for codiscovering and coreporting the flaw. The vulnerability affects Fortinet FortiClient Endpoint Management Server (EMS) versions 7.0.1 through 7.2.2 and received a CVSS of 9.8 out of 10.

On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.

"We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs," Shadowserver Foundation wrote on X, formerly known as Twitter.

That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.

We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL Injection) vulnerable instances.

130 vulnerable found on 2024-03-23

Top: US with 30 IPs

Dashboard geo breakdown: https://t.co/qB7JRwLxDY

Fortinet Advisory: https://t.co/gWWr5cb3F8 pic.twitter.com/taGGm9V6V6

— Shadowserver (@Shadowserver) March 24, 2024

Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.

A PoC and full technical analysis is available for the latest Fortinet flaw as well. While it's unclear how wide exploitation activity is, CISA added CVE-2023-48788 to its Known Exploited Vulnerability catalog on Monday.

Horizon3.ai vulnerability researcher James Horseman published a blog post with a PoC and detailed analysis for CVE-2023-48788 on March 21. Horseman confirmed that attackers could alter the PoC to allow for remote code execution by using built-in functionality of the Microsoft SQL Server database.

Additionally, he warned users that attackers might be hiding their tracks by cleaning evidence from logs following exploitation. Like other Fortinet flaws, Horseman told TechTarget Editorial that the exploit for CVE-2023-48788 is trivial for an attacker to exploit.

Threat intelligence vendor GreyNoise observed four IP addresses attempting to exploit the SQL injection flaw between March 22 and March 26.

CISA published an alert on Monday urging organizations to eliminate SQL injection vulnerabilities in their products by adopting more security-centric development practices. The alert highlighted last year's attacks against Progress Software's MoveIT Transfer customers in which a ransomware actor exploited a SQL injection flaw to steal data from thousands of customers.

TechTarget Editorial contacted Fortinet for comment. The vendor sent the following statement.

Fortinet distributed a PSIRT advisory (FG-IR-24-007) that detailed mitigation guidance and recommended next steps regarding CVE-2023-48788. Fortinet diligently balances our commitment to the security of our customers and our culture of transparency. We proactively communicated to customers via Fortinet's PSIRT Advisory process, advising them to follow the guidance provided. For more information regarding CVE-2023-48788, please refer to the Advisory.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.