Critical Vulnerabilities in Fortinet Products

Published on 14 Mar 2024

Update on 15 Apr 2024:

The critical vulnerability (CVE-2023-48788) is reportedly being actively exploited.

Possible indicators of compromise (IOCs) associated with the ongoing exploitation campaign are shown in the table below.

Type	Indicator
IP Address	141[.]136[.]43[.]188 (IPv4) / 2a02:4780:a:952:0:1e10:e79b:1 (IPv6)
IP Address	144[.]202[.]21[.]16
IP Address	185[.]56[.]83[.]82
IP Address	95[.]179[.]241[.]10
IP Address	45[.]77[.]160[.]195
IP Address	216[.]245[.]184[.]86
URL	mci11[.]raow[.]fun
URL	jxqmwbgxygkyftpxykdk8cfkq1hy371pz[.]oast[.]fun
URL	hxxp[:]//45.227.255[.]213:20201
URL	hxxp[:]//68[.]178.202.116
Hostname	“VULTR-GUEST”

Network administrators are advised to use a web application firewall (WAF) to configure and block potentially malicious traffic associated with the exploitation campaign while reviewing any prior connections and scan for signs of exploitation or presence of the IOCs in their systems.

Update on 22 Mar 2024:

The critical vulnerability (CVE-2023-48788) is reportedly being actively exploited. Users and administrators of affected products are advised to update to the latest versions immediately.

Original alert published on 14 Mar 2024:

Fortinet has released security updates to address critical vulnerabilities (CVE-2023-48788, CVE-2023-42789 and CVE-2023-42790) affecting their FortiClient Enterprise Management Server (EMS), FortiOS and FortiProxy products.

The critical vulnerabilities are:

CVE-2023-48788: Successful exploitation of the SQL injection vulnerability may allow an unauthenticated attacker to execute unauthorised code or commands via specifically crafted requests.
CVE-2023-42789 and CVE-2023-42790: Successful exploitation of these out-of-bounds write vulnerabilities may allow an attacker who has access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

The vulnerabilities affect the following products:

FortiClientEMS version 7.2.0 through 7.2.2
FortiClientEMS version 7.0.1 through 7.0.10
FortiOS version 7.4.0 through 7.4.1
FortiOS version 7.2.0 through 7.2.5
FortiOS version 7.0.0 through 7.0.12
FortiOS version 6.4.0 through 6.4.14
FortiOS version 6.2.0 through 6.2.15
FortiProxy version 7.4.0
FortiProxy version 7.2.0 through 7.2.6
FortiProxy version 7.0.0 through 7.0.12
FortiProxy version 2.0.0 through 2.0.13

Users and administrators of affected products are advised to update to the latest versions immediately.

More information is available here:

https://www.fortiguard.com/psirt/FG-IR-24-007

https://www.fortiguard.com/psirt/FG-IR-23-328

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-bug-in-endpoint-management-software/
https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/