The US cybersecurity agency CISA is warning organizations that a recently disclosed Fortinet FortiClient Enterprise Management Server (EMS) vulnerability tracked as CVE-2023-48788 is being exploited in attacks.
The vulnerability affecting the enterprise endpoint management solution has been described as a critical SQL injection bug that can be exploited by an unauthenticated attacker to execute arbitrary code or commands using specially crafted requests.
Fortinet disclosed the vulnerability on February 22, when it announced that patches are included in FortiClient EMS versions 7.0.11, 7.2.3 and later.
The UK’s National Cyber Security Centre (NCSC) and a Fortinet employee have been credited for discovering CVE-2023-48788.
On March 21, cybersecurity firm Horizon3.ai disclosed technical details of the vulnerability and published a proof-of-concept (PoC) exploit.
CISA added CVE-2023-48788 to its Known Exploited Vulnerabilities (KEV) catalog on Monday, urging organizations to install patches or implement mitigations as soon as possible.
Fortinet has updated its advisory to add that the vulnerability “is exploited in the wild”.
No information appears to be available on the attacks leveraging CVE-2023-48788, but Fortinet product vulnerabilities have often been exploited by state-sponsored threat actors.
The Shadowserver Foundation reported seeing 130 apparently vulnerable systems that had been accessible directly from the internet as of March 23, including 30 in the United States.
CISA on Monday also added CVE-2021-44529 to its KEV catalog. This is an old Ivanti Endpoint Manager vulnerability that allows an unauthenticated attacker to execute arbitrary code.
Threat intelligence firm GreyNoise has been seeing attempts to exploit this vulnerability, which may have been the result of a backdoor in an open source project.
Related: Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks
Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks