Monday, May 5, 2025
HomeCVE/vulnerabilityExploit Released For Critical Fortinet RCE Flaw: Patch Soon!

Exploit Released For Critical Fortinet RCE Flaw: Patch Soon!

Published on

SIEM as a Service

Follow Us on Google News

FortiClientEMS (Enterprise Management Server), the security solution used for scalable and centralized management, was discovered with an SQL injection vulnerability that could allow an unauthenticated threat actor to execute unauthorized code or command on vulnerable servers through specially crafted requests. 

This vulnerability exists due to improper neutralization of special elements used in an SQL command. The vulnerability was assigned with CVE-2023-48788 and the severity was given as 9.8 (Critical). 

However, Fortiguard has acted swiftly upon this vulnerability and has released patches to fix it.

- Advertisement - Google News

Moreover, this vulnerability was found to be exploited by threat actors in the wild. In addition, a proof-of-concept for this vulnerability has also been released.

Proof Of Concept Analysis – CVE-2023-48788

According to the reports shared with Cyber Security News, this vulnerability exists due to the multiple components on the FortiClient EMS, such as FmcDaemon.exe. FCTDas.exe and one or more endpoint clients.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

To provide a brief insight, the FmcDaemon.exe is the main service used for communicating with enrolled clients which listens to port 8013 by default for all incoming connections.

The FCTDas.exe is the Data Access Server that is used for translating requests from various other server components into SQL requests which also interacts with Microsoft SQL Server database.  

Furthermore, the endpoint clients can communicate with the FmcDaemon on the server via port 8013 (tcp).

However, the vulnerable component was discovered by scanning the installation folder for common SQL strings which revealed that FCTDas.exe establishes connections to the local database over tcp/1433 and also listens for incoming connections over localhost port tcp/65432.

FTCDas.exe connections (Source: Horizon3)

Finding the Vulnerability Trigger

After enabling debug logging to gather communications information between the FcmDaemon.exe and an endpoint.

It was also discovered that many of the message-handling functions were making use of a functionality from policyhelper.dll. 

However, the SQL injection was discovered by simply updating the FCTUID in the FcmDaemon message which triggered a simple sleep payload that delayed a 10 second response from the server.

SQL Query in DAS logs (Source: Horizon3)

For escalating this into a Remote code execution, the built-in xp_cmdshell functionality of Microsoft SQL Server was utilized which was enabled via few other SQL statements.

Moreover, Horizon3 researchers have published a proof-of-concept that only triggers the SQL injection vulnerability to confirm its existence.

Xp_cmdshell logs (Source: Horizon3)

For FortiClientEMS, there are several log files under the directory C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be used for further analysis of malicious activity.

As an alternative, the MS SQL logs can also be examined for additional evidence of exploitation through xp_cmdshell.

Additionally, the NodeZero threat actor was also found to be using different techniques to gain execution over vulnerable FortiClientEMS servers using this vulnerability.

NodeZero Attack technique (Source: Horizon3)

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...