Fortinet has patched a critical remote code execution vulnerability in its FortiClient Enterprise Management Server for managing endpoint devices.
The flaw, identified as CVE-2024-48788, stems from an SQL injection error in a direct-attached storage component of the server.
It gives unauthenticated attackers a way to execute arbitrary code and commands with system admin privileges on affected systems, using specially crafted requests.
Critical Severity Vulnerability Fortinet gave the vulnerability a severity rating of 9.3 out of 10 on the CVSS rating scale and the National Vulnerability Database itself has assigned it a near maximum score of 9.8.
The flaw is present in multiple versions of FortiClientEMS 7.2 and FortiClientEMS 7.0, and Fortinet advises organizations using affected versions to upgrade to the newly patched FortiClientEMS 7.2.3 or above, or to FortiClientEMS 7.0.11 or above.
The vendor credited a researcher from its FortiClientEMS development team and the United Kingdom's National Cyber Security Center for discovering the flaw.
The company's advisory offered scant details on the vulnerability.
Ai who have reported multiple previous bugs in Fortinet technologies this week said they would release indicators of compromise, a proof-of-concept exploit, and technical details of the bug next week.
There have been no reports of exploit activity in the wild targeting the flaw.
That could quickly change when details of the bug and the PoC become available next week, meaning organizations have a relatively small window of opportunity to address the vulnerability before attacks begin.
As examples, the security vendor pointed to CVE-2023-27997, a critical heap-based buffer overflow vulnerability in multiple versions of Fortinet's FortiOS and FortiProxy technology, and CVE-2022-40684, an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitch Manager technologies that a threat actor sold for initial access purposes.
Fortinet vulnerabilities have also featured in warnings from the US Cybersecurity and Infrastructure Security Agency, the National Security Agency, and others about flaws that nation-stated backed threat actors have frequently exploited in their campaigns.
The most recent of these warnings pertained to efforts by Volt Typhoon and other China-backed threat groups to break into and maintain persistent access on US critical infrastructure networks.
Two Unpatched Fortinet Bugs Meanwhile, in a separate development, researchers at Horizon3.
Ai this week publicly disclosed more details on 16 flaws they reported to Fortinet in 2023 - all but two of which the company has already patched.
The flaws - some of which Horizon described as critical - affect Fortinet's Wireless LAN Manager and FortiSIEM technologies.
The vulnerabilities include SQL injection issues, command injection flaws, and those that enable arbitrary file reads.
Ai, CVE-2023-34993 allows an unauthenticated attacker to execute arbitrary code on affected endpoints using specially crafted requests.
CVE-2023-34991 is an unauthenticated SQL injection vulnerability that gives attackers a way to access and abuse a built-in image listing function in Fortinet WLM; CVE-2023-48782 is a command injection flaw; and CVE-2023-42783 enables an unauthenticated attack to do arbitrarily read files on affected systems.
Ai identified the two vulnerabilities that remain unpatched as of March 13, 2024, as an unauthenticated limited log file read bug and a static session ID vulnerability.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 14 Mar 2024 20:30:34 +0000