Fortinet has released a patch for various vulnerabilities in various software. One of the bugs allows SQL injection to be performed on FortiClient-EMS. A proof-of-concept of that exploit has now been published and it is being actively abused.
Fortinet warns in an advisory about one of the bugs, which the company itself tracks as FG-IR-24-007 and which is also known as CVE-2023-48788. That bug gets a Critical CVSS score of 9.3, mainly because attackers can run it remotely and without authentication. The vulnerability is in FortiClientEMS versions 7.2.0 through 7.2.2 and in versions 7.0.1 through 7.0.10. The vulnerabilities have been resolved in versions 7.2.3 and 7.0.11. The bug allows SQL injection to be performed on devices running FortiClientEMS.
Fortinet says the bug is being exploited in the wild, but did not provide details. The Dutch Digital Trust Center is now also warning about the bug. A proof-of-concept has now also been published, the DTC writes, which in theory makes it easier to carry out an attack.
In addition to the zero-day, Fortinet warns of various other vulnerabilities. One of them is FG-IR-23-390 or CVE-2023-47534, which is in the same vulnerable versions of FortiClientEMS. That bug, with a High CVSS score of 8.7, is also present in all versions of FortiClient 6.0, 6.2 and 6.4. Fortinet recommends that users migrate to a newer version. This bug is a vulnerability in the way elements are placed in a CSV file: CWE-1236.
There is also a vulnerability in FortiManager and FortiAnalyzer: FG-IR-23-304 or CVE-2023 -41842. This allows an attacker to execute code on a system, but this requires authentication. The latest bug is FG-IR-23-103 or CVE-2023-36554, a vulnerability in FortiManager. That bug gets a CVSS score of 7.7, but can only be exploited if users have FortiWLM MEA enabled. This does not happen by default and administrators can protect their systems by disabling this feature.