CVE-2023-48788

CRITICAL KEV RANSOMWARE NUCLEI

Fortinet Forticlient Endpoint Management Server - SQL Injection

Title source: nuclei

Exploitation Summary

CVE-2023-48788 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2024, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including horizon3ai, Zach Hanley, James Horseman, jheysel-r7, Spencer McIntyre, including a Metasploit module exploits/windows/http/forticlient_ems_fctid_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClient EMS. The exploit sends a crafted registration message with a SQL injection payload to check for vulnerability.

Description

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Exploits (2)

nomisec WORKING POC 52 stars

by horizon3ai · remote

https://github.com/horizon3ai/CVE-2023-48788

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClient EMS. The exploit sends a crafted registration message with a SQL injection payload to check for vulnerability.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiClient EMS

No auth needed

Prerequisites: Network access to the target FortiClient EMS server · Target server must be running a vulnerable version of FortiClient EMS

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Zach Hanley, James Horseman, jheysel-r7, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits an SQL injection vulnerability (CVE-2023-48788) in FortiClient EMS, enabling unauthenticated remote code execution via xp_cmdshell in the context of NT AUTHORITY\SYSTEM. The exploit targets versions 7.2.0-7.2.2 and 7.0.1-7.0.10 by crafting malicious messages to the FCTDas.exe service.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: FortiClient EMS 7.2.0-7.2.2, 7.0.1-7.0.10

No auth needed

Prerequisites: At least one endpoint enrolled in FortiClient EMS · Network access to port 8013

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Fortinet Forticlient Endpoint Management Server - SQL Injection

CRITICALVERIFIEDby James Horseman,ItshMoh

References (2)

Core 2

Core References

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-24-007

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48788

Scores

CVSS v3 9.8

EPSS 0.9408

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-03-25

VulnCheck KEV 2024-03-12

InTheWild.io 2024-03-25

ENISA EUVD EUVD-2023-52821

Ransomware Use Confirmed

CWE

CWE-89

Status published

Products (1)

fortinet/forticlient_enterprise_management_server 7.0.1 - 7.0.11

Published Mar 12, 2024

KEV Added Mar 25, 2024

Tracked Since Feb 18, 2026