CISA: ‘Critical’ Fortinet EMS Vulnerability Has Seen Exploitation

The cybersecurity agency said Monday it has found ‘evidence of active exploitation’ for the flaw in FortiClient Enterprise Management Server (EMS).

CISA said Monday that exploitation of a vulnerability in Fortinet’s FortiClientEMS (Enterprise Management Server) has been seen.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) cited “evidence of active exploitation” in an advisory, referencing the Fortinet EMS vulnerability as well as vulnerabilities in two products from other vendors.

In a statement Monday, Fortinet said it has distributed an advisory with “detailed mitigation guidance and recommended next steps regarding CVE-2023-48788" and has "proactively communicated to customers” about the issue.

The SQL injection vulnerability in FortiClientEMS (tracked at CVE-2023-48788) has been awarded a “critical” severity score of 9.8 out of 10.0, according to NIST’s National Vulnerability Database listing.

Exploitation of the flaw can allow an attacker to “execute unauthorized code or commands via specially crafted packets,” said NIST (the National Institute of Standards and Technology) in the listing of the vulnerability.

The vulnerability affects FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10, according to the NIST listing.

Fortinet disclosed the vulnerability on March 12 among five newly disclosed vulnerabilities in its products, two of which were deemed critical at the time.

The FortiClientEMS flaw could enable “a remote and unauthenticated attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server,” Fortinet said in its March 12 disclosure.

CISA’s advisory Monday also disclosed that it has seen exploitation of a 2021 vulnerability impacting Ivanti’s Endpoint Manager Cloud Service Appliance (tracked at CVE-2021-44529) and a 2019 flaw affecting the Nice Linear eMerge E3-Series (tracked at CVE-2019-7256).

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA wrote in the advisory.