Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

SQL Injection RCE in Fortinet FortiClient EMS

IdentifiersCVE-2023-48788CWE-89· Improper Neutralization of Special…

CVE-2023-48788 is an SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), affecting FortiClient EMS 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. The flaw is described as improper neutralization of special elements used in an SQL command and is reported in the DB2 Administration Server (DAS) component. A remote attacker can send specially crafted packets or requests to a vulnerable FortiClient EMS server and trigger SQL injection that can lead to execution of unauthorized code or commands on the server. Supporting reporting in the provided content indicates exploitation can result in remote code execution on the vulnerable server, including execution with SYSTEM privileges, and that the issue has been observed exploited in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow remote code execution on the FortiClient EMS server, including unauthorized command execution and, per reporting in the provided content, execution with SYSTEM privileges. Because FortiClient EMS is a centralized endpoint management platform, compromise can provide a high-value foothold into the enterprise environment and can be used for initial access, persistence, lateral movement, privilege escalation, malware deployment, ransomware staging, installation of remote access tools, and potential compromise of managed endpoints or administrative workflows. The vulnerability has been referenced in real-world ransomware and intrusion activity and was added to CISA's Known Exploited Vulnerabilities catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network exposure of FortiClient EMS, especially from the public internet; place the management interface behind VPN or administrative access controls; limit access to trusted source IPs; and monitor for suspicious crafted requests or packets targeting EMS. Because exploitation has been associated with post-compromise deployment of remote access tooling and ransomware activity, defenders should also increase logging and detection around command execution, child processes from EMS services, database-related anomalies, new remote management software, and unusual outbound traffic. These measures only reduce exposure and should not be treated as a substitute for upgrading to a fixed version.

Remediation

Patch, then assume compromise.

Upgrade FortiClient EMS to a fixed release outside the affected ranges. Based on the provided affected versions, organizations should move off FortiClient EMS 7.2.0-7.2.2 and 7.0.1-7.0.10 to a vendor-remediated version as specified by Fortinet. Apply Fortinet's official security advisory guidance and verify that all internet-exposed EMS instances are updated. After patching, review the server for indicators of compromise, including unexpected remote management tools, web shells, new services, unauthorized accounts, scheduled tasks, or suspicious outbound connections, because this vulnerability is known to have been exploited in the wild.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2023-48788MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClient EMS. The main file, CVE-2023-48788.py, is a Python script that connects to a specified FortiClient EMS server over SSL/TCP (default port 8013) and sends a specially crafted registration message containing a SQL injection payload ("' OR 1=1 --"). The script then checks the server's response for the presence of the string 'KA_INTERVAL' to determine if the target is vulnerable. The exploit does not provide post-exploitation capabilities or a shell; it is designed to test for the presence of the vulnerability. The repository also includes a README.md with usage instructions and background information. No hardcoded IPs or domains are present; the target is specified by the user at runtime.

horizon3aiDisclosed Mar 18, 2024pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FortinetForticlient Enterprise Management Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

31 SOURCESView more in app
scworldNews
Mar 31, 2026
Critical Fortinet FortiClient EMS vulnerability under attack | brief | SC Media

A FortiClient EMS SQL injection vulnerability previously added to CISA's Known Exploited Vulnerabilities catalog, indicating confirmed exploitation.

Read more
security affairsNews
Mar 30, 2026
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution

A FortiClient EMS SQL injection vulnerability that was added by CISA to the Known Exploited Vulnerabilities catalog.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A critical SQL injection vulnerability in Fortinet FortiClient EMS that is being exploited to deploy remote access tooling.

Read more
security online infoNews
Jan 26, 2026
"Osiris" Rises: New Ransomware Targets Southeast Asian Food Giant with Advanced Tactics

A specific Fortinet vulnerability referenced as being exploited by Medusa ransomware for stealthy ransomware attacks (details not provided in this content).

Read more
+22 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-48788
NVD
nvd.nist.gov/vuln/detail/CVE-2023-48788
MITRE CWE · CWE-89
Improper Neutralization of Special Elements…
Vendor Advisory
fortiguard.com/psirt/FG-IR-24-007
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48788