Critical Fortinet’s FortiClient EMS flaw actively exploited in the wild
Researchers from Horizon3 have developed a proof-of-concept (PoC) exploit for a critical vulnerability (CVE-2023-48788, CVSS score 9.3) found in Fortinet’s FortiClient Enterprise Management Server (EMS) software.
The vulnerability is categorized as a severe SQL injection flaw located in the DAS component of the software.
If exploited, this vulnerability could allow unauthorized execution of code or commands by an attacker through specially crafted requests.
Affected versions of FortiClientEMS include 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10, with the solution being an upgrade to version 7.2.3 or above for 7.2 users and version 7.0.11 or above for 7.0 users.
Although initially reported that there were no known attacks exploiting this vulnerability, Fortinet has since confirmed active exploitation in the wild.
While the PoC exploit does not utilize the xp_cmdshell functionality of Microsoft SQL Server, it is possible to enable remote code execution by altering the PoC.
Horizon3 recommends examining log files in specific directories for evidence of unauthorized connections or malicious activity, including MS SQL logs for indications of command execution.
Analysis from our SOC team
As indicated in the article, the CVE-2023-48788 vulnerability noted in CVSS 9.3 is being actively exploited in the wild. It is recommended to upgrade your FortiClientEMS 7.2 to version 7.2.3 or above and FortiClientEMS 7.0 to version Upgrade to 7.0.11 or above if your servers are exposed on the internet. If you are unable to upgrade your servers at this time, it is strongly recommended that you isolate them from the Internet.
You can also investigate potential exploitation of the C:\Program Files (x86)\Fortinet\FortiClientEMS\logs file for connections to unrecognised clients or malicious activity.
Approach SOC team can assist you in the event of an incident or suspected compromise.
Jenkins, has been found to have a file read vulnerability, designated as CVE-2024-23897. This vulnerability stems from the args4j library utilized by Jenkins to parse command arguments and options in its Command-Line Interface (CLI) during command processing on the Jenkins controller. Exploiting this vulnerability allows an unauthorized user to read portions of files on the file system. Authenticated users can potentially access entire files. The affected versions include Jenkins 2.441 and earlier, as well as LTS 2.426.2 and earlier.
Exploiting CVE-2024-23897 could lead to remote code execution (RCE), as demonstrated by several observed attack instances. Attackers have been detected attempting to exploit the vulnerability, with a notable concentration of attack origins in the Netherlands and targets primarily located in South Africa. Moreover, proof-of-concept (POC) scanners and potentially fraudulent RCE exploits for sale have been identified, highlighting the active exploitation and monetization of this vulnerability.
The vulnerability can be exploited through HTTP, WebSocket, and Secure Shell (SSH), with HTTP and WebSocket presenting higher exploitation probabilities.
Jenkins has released patches (versions 2.442 and LTS 2.426.3) addressing CVE-2024-23897 by disabling the problematic command parser feature. Users are strongly advised to update their installations promptly to mitigate the risk of security incidents.
Analysis from our SOC team
As indicated in the article, the CVE-2024-23897 vulnerability rated CVSS 10 (critical) is being actively exploited in the wild. Analysis indicates that there are over 45,000 unpatched Jenkins servers.
Versions including Jenkins 2.441 and earlier, as well as LTS 2.426.2 and earlier are affected. Patches have already been released for versions 2.442 and LTS 2.426.3 addressing the vulnerability. You are advised to patch your exposed servers as soon as possible given the severity of the vulnerability.
Threat actors are actively exploiting vulnerabilities in JetBrains TeamCity, specifically CVE-2024-27198 and CVE-2024-27199, to deploy various malware families and gain administrative control over affected systems.
These vulnerabilities allow attackers to bypass authentication checks, potentially leading to complete control of TeamCity servers.
The flaws impact all TeamCity On-Premises versions through 2023.11.3, and a security patch plugin has been released for systems unable to apply the patch. Rapid7 researchers discovered the vulnerabilities and published detailed analyses. Exploiting these vulnerabilities allows threat actors to perform a range of malicious activities, including deploying ransomware, cryptocurrency miners, Cobalt Strike beacons, and backdoors.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities catalogue. Threat actors have been observed deploying ransomware and cryptocurrency miners via vulnerable TeamCity servers, highlighting the urgency for organizations to mitigate these vulnerabilities promptly to avoid financial and operational risks.
Analysis from our SOC team
As mentioned in the article, vulnerabilities CVE-2024-27198 (CVSS: 9.8) and CVE-2024-27199 (CVSS: 7.3) are being actively exploited by malicious actors to spread malware and ransomware, which could lead to a large-scale cyber-incident.
These vulnerabilities affect version 2023.11.3 of TeamCity On-Premises and have been patched in version 2023.11.4. We recommend that you update the vulnerable server to the latest version.
The company has also released a security patch plugin for customers who are unable to patch their systems. If you have any questions or would like to correct the vulnerability, please open a ticket via their platform or contact Approach SOC.
Fraudulent emails impersonating Spa Grand Prix are circulating, attempting to deceive recipients into sharing their bank details. The emails promise a €50 gift voucher and contain a link redirecting to a fake website resembling Spa Grand Prix’s official site.
Analysis from our SOC team
The tips described in the article is what we would like to emphasize on as well. Never click on any links and browse to the official website yourself or open your banking app.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
verdacht@safeonweb.be
suspect@safeonweb.be
suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
