Fortinet Vulnerability Exploited

Threat actors have been discovered exploiting a Fortinet Forticlient EMS vulnerability to install unauthorized RMM tools and PowerShell backdoors on the targeted systems.

The vulnerability exploited by the threat actors was CVE-2023-48788.

Moreover, an external inbound network connection was found to connect with the FCMdaemon process, followed by downloading and executing RMM tools or PowerShell-based backdoors.

However, Fortinet addressed this vulnerability in March 2024, and its severity was 9.8 (Critical). 

Fortinet Vulnerability Exploited

This vulnerability allows unauthenticated users to execute commands with SYSTEM privileges through specially crafted messages.

In addition to this, a complete report on the exploitation was published by Horizon3 researchers.

To provide a brief explanation, CVE-2024-48788 was associated with SQL injection on Forticlient EMS applications.

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Nevertheless, the threat actors’ exploitation begins with an external IP address attempting to connect with a specially crafted request to the Forticlient EMS application’s FCMdaemon process through port 8013, Red Canary report.

Intrusion Detection (Source: Red Canary)

If the Forticlient application runs an unpatched version, it can receive a specially crafted message from the threat actors, resulting in an SQL injection attack.

Further, the threat actors utilized this SQL injection to enable xp_cmdshell to execute commands via cmd.exe. 

If the attack is successful, the sqlserver.exe (runs on \MSSQL14.FCEMS\) will spawn the cmd.exe instance, thereby resulting in executing SYSTEM-level commands.

However, this was just the initial part of exploitation from the threat actors. 

Once they have established this connection with elevated privileges, they use PowerShell Invoke-WebRequest cmdlets to download a Windows installer (.msi) file from a malicious IP address. 

Intrusion Detection (Source: Red Canary)

The MSI installers typically used a Remote Monitoring and Management (RMM) tool. The threat actors launched this tool using the msiexec.exe process.

In some instances, failures of RMM tool installations and unsuccessful attempts of PowerShell backdoor deployments were also noticed. A redacted version of the obfuscated commands can be found below.

As an added fact, the threat actors took only 36 seconds to 47 minutes from initial access to install the RMM tools or backdoor.

How To Patch?

Suppose you are running a Forticlient EMS application with version FortiClientEMS 7.2.0 through 7.2.2 or FortiClientEMS 7.0.1 through 7.0.10. In that case, it is recommended to upgrade to the latest version to prevent this vulnerability from getting exploited by threat actors.

Additional information can be found in this security advisory released by Fortinet. If you are looking for a workaround, the below steps can be followed

  • Look for connections from unknown external IP addresses to the FCMdaemon.exe process on the EMS client.
  • Look for PowerShell processes that spawn cmd.exe with sqlserver.exe as a parent process
  • Check for patterns in using Invoke-WebRequest to download MSI files from external network addresses
  • You can either use allowlist or blocklist to prevent unauthorized RMM tool installation in your environment.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.