Security News > 2024 > March > Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788)
A recently fixed SQL injection vulnerability in Fortinet's FortiClient Endpoint Management Server solution has apparently piqued the interest of many: Horizon3's Attack Team means to publish technical details and a proof-of-concept exploit for it next week, and someone is attempting to sell a PoC for less than $300 via GitHub.
"An improper neutralization of special elements used in an SQL Command vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests," the company's product security incident response team pithily states in the associated advisory.
The team also shared that the vulnerability was "Co-discovered and reported by Thiago Santana from Fortinet ForticlientEMS development team and UK NCSC", but did not say whether it has been or is currently being exploited in attacks in the wild.
As of Wednesday, someone has set up a GitHub page advertising a "New exploit" for CVE-2023-48788, and linked to a post on SatoshiDisk.com, a web-based platform where users can upload files they want to sell and other users can download them if they pay the set price.
"I think the probability is low that the exploit sold by is real. Currently, I do not see an exploit advertised anywhere else," Dr. Johannes Ullrich, the founder of the SANS Internet Storm Center, told Help Net Security.
He also noted that the vulnerability does not affect Fortinet gateway devices, but FortiClient EMS, instances of which are less likely to be reachable via the internet.
News URL
https://www.helpnetsecurity.com/2024/03/14/cve-2023-48788-poc/
Related news
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825) (source)
- CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks (source)
- PoC exploit for Ivanti Endpoint Manager vulnerabilities released (CVE-2024-13159) (source)
- Siemens Teamcenter vulnerability could allow account takeover (CVE-2025-23363) (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-03-12 | CVE-2023-48788 | Unspecified vulnerability in Fortinet Forticlient Enterprise Management Server A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets. | 9.8 |