Alert: Critical Fortinet Flaw Weaponized to Hijack Corporate Networks with Remote Access Tools

Alert: Critical Fortinet Flaw Weaponized to Hijack Corporate Networks with Remote Access Tools

Critical Fortinet Security Flaw Exploited in Global Cyber Campaign

A critical security vulnerability (CVE-2023-48788) in Fortinet FortiClient EMS has been actively exploited by cybercriminals to deploy remote access tools. The flaw, which carries a severe CVSS score of 9.3, allows attackers to execute unauthorized commands through SQL injection.

Kaspersky researchers discovered an October 2024 attack targeting a company’s Windows server with exposed FortiClient EMS ports. The attackers exploited the vulnerability to install ScreenConnect, gaining remote access to the compromised system. Subsequently, they deployed additional tools, including:

– AnyDesk remote control software
– Password recovery utilities (webbrowserpassview.exe and netpass64.exe)
– Network scanning tools
– Mimikatz credential harvester

The campaign has affected organizations across multiple countries, including:
– Brazil
– Croatia
– France
– India
– Indonesia
– Mongolia
– Namibia
– Peru
– Spain
– Switzerland
– Turkey
– U.A.E.

The attackers utilized various ScreenConnect subdomains for their operations and were observed executing PowerShell scripts to gather information from vulnerable systems. This incident demonstrates an evolution in attack complexity and techniques used to deploy remote access tools.

The vulnerability has since been patched, but this campaign follows similar attacks documented by Forescout eight months earlier, highlighting the persistent threat to unpatched systems.

Share This Article