SQL injection vulnerability in Fortinet software under attack
A critical Fortinet vulnerability has been actively exploited since at least March 21 and was added to CISA’s Known Exploited Vulnerability catalog on Monday.
In a security advisory on March 12, Fortinet detailed a pre-authentication SQL injection vulnerability tracked as CVE-2023-48788 or what the vendor identifies internally as FR-IG-24-007. On March 21, Fortinet updated the advisory to warn users that CVE-2023-48788 was being exploited in the wild. On Sunday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected several vulnerable instances around the world.
“We have started scanning/reporting Fortinet FortiClient EMS CVE-2023-48788 (pre-auth SQL injection) vulnerable instances. 130 vulnerable found on 2024-03-23 Top: US with 30 IPs,”
That number is potentially higher. Shadowserver noted that its scans only detect the web interface version, and it does not check port 8013 access, which is required for exploitation.
Patching is vital as Fortinet products have been increasingly targeted by threat actors. Last week, exploitation activity escalated for another critical Fortinet flaw tracked as CVE-2024-21762, two days after a proof-of-concept (PoC) exploit was published.