Published on 14 Mar 2024
Update on 15 Apr 2024:
The critical vulnerability (CVE-2023-48788) is reportedly being actively exploited.
Possible indicators of compromise (IOCs) associated with the ongoing exploitation campaign are shown in the table below.
Type | Indicator |
IP Address | 141[.]136[.]43[.]188 (IPv4) / 2a02:4780:a:952:0:1e10:e79b:1 (IPv6) |
IP Address | 144[.]202[.]21[.]16 |
IP Address | 185[.]56[.]83[.]82 |
IP Address | 95[.]179[.]241[.]10 |
IP Address | 45[.]77[.]160[.]195 |
IP Address | 216[.]245[.]184[.]86 |
URL | mci11[.]raow[.]fun |
URL | jxqmwbgxygkyftpxykdk8cfkq1hy371pz[.]oast[.]fun |
URL | hxxp[:]//45.227.255[.]213:20201 |
URL | hxxp[:]//68[.]178.202.116 |
Hostname | “VULTR-GUEST” |
Network administrators are advised to use a web application firewall (WAF) to configure and block potentially malicious traffic associated with the exploitation campaign while reviewing any prior connections and scan for signs of exploitation or presence of the IOCs in their systems.
Update on 22 Mar 2024:
The critical vulnerability (CVE-2023-48788) is reportedly being actively exploited. Users and administrators of affected products are advised to update to the latest versions immediately.
Original alert published on 14 Mar 2024:
Fortinet has released security updates to address critical vulnerabilities (CVE-2023-48788, CVE-2023-42789 and CVE-2023-42790) affecting their FortiClient Enterprise Management Server (EMS), FortiOS and FortiProxy products.
The critical vulnerabilities are:
The vulnerabilities affect the following products:
Users and administrators of affected products are advised to update to the latest versions immediately.