Fortinet EMS flaw actively exploited to deploy Remote Access hacking tools
Take action: If you are running Fortinet EMS, make sure it's management interfaces and ports are not accessible on the internet and PATCH IMMEDIATELY. The attacked flaw is over a year old, so it's really shameful if you get hacked.
Learn More
During an incident response investigation in December 2024, Kaspersky's GERT team identified an attack targeting a vulnerability in FortiClient EMS.
The vulnerability is tracked as CVE-2023-48788 (CVSS score 9.3) and is an SQL injection flaw that enables attackers to execute unauthorized code or commands through specially crafted data packets. The security firm discovered this exploitation during an October 2024 incident involving an unnamed company's Windows server that was exposed to the internet with open FortiClient EMS ports.
The attack sequence began with threat actors exploiting CVE-2023-48788 as their initial access vector. The targeted system was being used to distribute VPN access policies to corporate devices. The attackers employed several tools and techniques after gaining initial access:
- Remote Access Tools:
- ScreenConnect (ConnectWise)
- AnyDesk
- Credential Theft Tools:
- WebBrowserPassView
- NetPass64
- Mimikatz
- Network Enumeration Tools:
- Netscan.exe
- Various network scanning utilities
The campaign's scope was global, with targets identified across multiple countries including Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the United Arab Emirates.
Further investigation revealed additional exploitation attempts of the same vulnerability. On October 23, 2024, Kaspersky detected attempts to execute a PowerShell script hosted on a webhook.site domain, designed to collect responses from vulnerable systems.
Users are advised to upgrade to FortiClient EMS versions:
- 7.0.11–7.0.13 or later
- 7.2.3 or later
