A critical security vulnerability in Fortinet’s FortiClient EMS, identified as CVE-2023-48788, is being actively exploited by cybercriminals to deploy remote access tools such as AnyDesk and ScreenConnect. The flaw, which has a CVSS score of 9.3, allows attackers to execute unauthorized commands on affected systems via SQL injection.
The vulnerability was first detected in October 2024, when Kaspersky reported an attack targeting a company's Windows server exposed to the internet with two open ports related to FortiClient EMS. The company, which uses FortiClient EMS to enable secure VPN access for its employees, became the victim of the exploit.
Attackers used CVE-2023-48788 to gain initial access and drop ScreenConnect, a remote access tool, to gain control over the server. Once the attackers gained access, they uploaded additional malicious payloads to perform network reconnaissance, collect credentials, evade defenses, and establish further persistence via AnyDesk.
Other tools deployed during the attack included:
webbrowserpassview.exe: A password recovery tool for browsers like Chrome, Firefox, and Internet Explorer.
Mimikatz: A well-known credential extraction tool.
netpass64.exe: Another password recovery utility.
netscan.exe: A network scanning tool.
The cybercriminals are believed to have targeted organizations in countries including Brazil, France, India, Turkey, and the UAE, using various ScreenConnect subdomains to facilitate the attack.
Kaspersky also reported ongoing attempts to weaponize CVE-2023-48788 on October 23, 2024, with attackers executing PowerShell scripts to collect information from vulnerable systems.
This attack follows a similar campaign uncovered by Forescout earlier this year, highlighting how the tactics used by attackers to deploy remote access tools are evolving and becoming more sophisticated. The vulnerability was patched by Fortinet in late 2024