Skip to content
Join Censys for a Threat Hunting Workshop & Happy Hour! | April 17 at City Winery in Philadelphia | Register Now
Advisory

March 29, 2024: Fortinet FortiClientEMS RCE via SQL injection CVE-2023-48788

Global Impact (at time of dissemination)

• 130+ hosts affected globally
• ~70% of globally affected hosts with port 8013 open (default port for exploited FcmDaemon service)
• Most common, vulnerable versions are 7.2.2 and 7.2.1

Top affected countries:
1.  US
2. Germany
3. India
4. China
5. Netherlands

Summary

Censys is aware that a Fortinet FortiClientEMS SQL injection vulnerability enabling remote code execution (RCE) was published on March 12, 2024, updated on March 25, 2024 and is currently being exploited in the wild. According to Bleeping Computer, “it allows unauthenticated attackers to gain RCE with SYSTEM privileges on unpatched servers in low-complexity attacks that don’t require user interaction” using FortiClientEMS’s FcmDaemon service.

Impact

Since “FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices,” access to such assets could possibly have enterprise-wide consequences (Bleeping Computer). Coupled with the relatively low barrier for exploitation and reported instances of exploitation in the wild, the potential impact and likelihood of attacks targeting these systems is significant.

Affected Assets

According to the NVD, this issue affects FortiClientEMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2).
Censys’ Rapid Response Team was able to identify:
– FortiClient EMS assets that have exposed web consoles & show indications of running the FcmDaemon service (leveraged in this exploit) via the Search and ASM queries listed below. Note that not all of these services may be vulnerable: administrators can use this data to verify the versions of FortiClient EMS they have locally.
– Specifically vulnerable versions of FortiClientEMS (as identified in advisories) via the Risk Name for Potentially Vulnerable Devices listed below for Censys ASM customers.

Censys ASM Risk Name
‘Vulnerable FortiClient EMS [CVE-2023-48788]’

Censys ASM customers will see this risk applied to affected assets in their workspaces. Those that have signed up for Rapid Response Automated Risk Alerting will be contacted directly regarding affected assets.

Censys ASM Query This query is shared for customers who wish to refine or alter versioning for customized operations.

Censys Search Queries are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.

Recommendations for remediation

from Fortinet state that owners of the assets should upgrade to the versions listed below:

FortiClientEMS versions 7.2.0 through 7.2.2 should upgrade to 7.2.3 or above
FortiClientEMS versions 7.0.1 through 7.0.10 should upgrade to 7.0.11 or above.

If you need assistance in positively identifying these assets, please let us know.

Attack Surface Management Solutions
Learn more