Attackers exploiting a FortiClient EMS vulnerability in the wild

Tags

External References

• https://securelist.com/
• https://otx.alienvault.com/

Description

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like ScreenConnect and AnyDesk, performed network enumeration, credential theft, and defense evasion. The vulnerability allows unauthorized code execution via specially crafted data packets. Multiple threat actors have been observed exploiting this vulnerability globally, targeting various companies and consistently altering ScreenConnect subdomains. The analysis highlights the importance of timely patching and implementing additional security controls to prevent such attacks.

Date