Skip to content
Home » News » Fortinet RCE Vulnerability

Fortinet RCE Vulnerability

Fortinet, a global cybersecurity company renowned for its network security appliances and security subscription services, has faced numerous vulnerabilities over the years, often exploited in ransomware attacks and zero-day exploits. Notably, vulnerabilities in FortiOS, FortiProxy, and FortiSwitch have been exploited (CVE-2023-27997 and CVE-2022-40684).


These vulnerabilities have not gone unnoticed by cybersecurity authorities, with warnings issued by entities such as the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA). These warnings often highlight vulnerabilities targeted by nation-state-backed threat actors.


The most recent vulnerability discovered affected Fortinet’s Enterprise Management Server (EMS), a critical component in the company’s suite of cybersecurity solutions  that enables administrators to manage endpoints within an enterprise network was found vulnerable to a  critical SQL injection flaw identified as CVE-2023-48788. This vulnerability allowed unauthenticated attackers to execute unauthorized code or commands.


NVD NIST described the vulnerability as “A improper neutralization of special elements used in an sql command (‘sql injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.”


Horizon3.ai published a detailed explanation of the vulnerability and a PoC exploit confirming the SQL Injection vulnerability but without Remote Code Execution capabilities. To enable RCE, the PoC needs to be modified  to use Microsoft SQL Server’s xp_cmdshell procedure.


The vulnerability was assigned a maximum CVSS score of 9.8 (Critical) and has since been patched by Fortinet.

Fortinet recommended users should upgrade from:

  • FortiClientEMS versions 7.2.0 through 7.2.2 to versions 7.2.3 or above
  • FortiClientEMS versions 7.0.1 through 7.0.10 to versions 7.0.11 or above