NewsNukem
vulnerabilities

Fortinet customers confront actively exploited zero-day, with a full patch still pending

April 7, 20265 min read3 sources
Share:
Fortinet customers confront actively exploited zero-day, with a full patch still pending

Introduction

Fortinet has issued an urgent security advisory for a critical, actively exploited zero-day vulnerability in its FortiClient Enterprise Management Server (EMS). The flaw, tracked as CVE-2024-35616, allows an unauthenticated attacker to execute arbitrary code on a vulnerable server, posing a severe risk to organizations that rely on the platform for endpoint management. With threat actors already leveraging the vulnerability in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate action for federal agencies.

Background: A High-Value Target

FortiClient EMS is a centralized management solution that allows administrators to deploy, monitor, and manage FortiClient endpoint security across an organization. By its nature, it is a powerful tool with deep access into a company's network and devices. This makes it an exceptionally valuable target for attackers. A compromise of the EMS server can provide a direct pathway to control thousands of endpoints, effectively handing an attacker the keys to the kingdom.

This incident follows a pattern of threat actors targeting Fortinet's widely deployed security and management appliances. Products like FortiGate firewalls have historically been a focal point for sophisticated campaigns, often serving as the initial point of entry into corporate networks. This latest vulnerability in FortiClient EMS reinforces the strategy of targeting centralized infrastructure to achieve widespread impact.

Technical Details: Unpacking CVE-2024-35616

According to Fortinet's PSIRT advisory, FG-IR-24-192, CVE-2024-35616 is a SQL injection vulnerability. In simple terms, the flaw allows an attacker to send specially crafted data to the EMS server that tricks its underlying database into executing malicious commands. The consequences are severe, leading to unauthenticated remote code execution (RCE).

The vulnerability has been assigned a critical CVSS v3.1 score of 9.3 out of 10. This high score is based on several factors:

  • Attack Vector: Network - The vulnerability can be exploited remotely over a network, without needing local access.
  • Attack Complexity: Low - An attacker does not need to overcome significant technical hurdles to exploit the flaw.
  • Privileges Required: None - This is a key danger. The attacker does not need any username or password; the vulnerability is exploitable by an unauthenticated party.
  • User Interaction: None - The attack requires no action from a legitimate user, such as clicking a link or opening a file.
  • Impact: High - Successful exploitation results in a complete loss of confidentiality, integrity, and availability of the affected server.

The affected versions are:

  • FortiClient EMS 7.2.0 through 7.2.2
  • FortiClient EMS 7.0.1 through 7.0.10

Because the flaw allows RCE, a successful attacker gains full control of the FortiClient EMS server. From there, they can execute commands, install malware, and access or alter any data stored on the machine.

Impact Assessment: From Server to Enterprise Compromise

The potential impact of CVE-2024-35616 is substantial, particularly for organizations with internet-facing EMS instances. An unauthenticated attacker could compromise the server and initiate a cascade of malicious activities.

First, the attacker could exfiltrate sensitive data managed by the EMS, including endpoint inventories, user information, and security policy configurations. This information is valuable for reconnaissance and planning further attacks. Strong encryption of data at rest can mitigate some damage, but an attacker with system-level access may be able to bypass it.

Second, and more catastrophically, the attacker can use the EMS's legitimate functions to deploy malware across all managed endpoints. This could be used to distribute ransomware, spyware, or remote access trojans (RATs) throughout the entire organization almost instantly. This turns a single server compromise into a full-scale enterprise breach.

Finally, the compromised EMS server serves as a powerful and persistent foothold within the network. From this trusted position, attackers can move laterally to other critical systems, escalate privileges, and entrench themselves for long-term espionage or future disruptive attacks. The CISA directive, which gives federal agencies until July 11, 2024, to apply the fix, highlights the gravity of the threat to national infrastructure.

How to Protect Yourself

Given the active exploitation, organizations must act swiftly. Waiting for a regularly scheduled patch cycle is not an option. Here are the essential steps to take.

  1. Apply the Hotfix Immediately
    Fortinet has released emergency hotfix builds to address the vulnerability. This is the most critical step. Administrators should upgrade their instances to one of the following versions or newer as soon as possible:
    • FortiClient EMS 7.2.3
    • FortiClient EMS 7.0.11
    A hotfix is an out-of-band release designed for rapid deployment against a critical threat. While a fully integrated patch will likely follow in a general release, the hotfix is the designated immediate solution.
  2. Reduce the Attack Surface
    Conduct an immediate review of your FortiClient EMS server's network exposure. If the management interface does not need to be accessible from the public internet, place it behind a firewall and restrict access to internal IP addresses only. If remote administrative access is necessary, it should be strictly controlled through a secure gateway or a VPN service with multi-factor authentication. Never expose management interfaces directly to the internet unless absolutely necessary and properly secured.
  3. Hunt for Signs of Compromise
    Since the vulnerability was exploited as a zero-day, attackers were using it before a patch was available. Organizations should assume potential compromise and hunt for malicious activity. Review logs on the FortiClient EMS server for unusual access patterns, unexpected outbound network connections, new or modified files and scheduled tasks, and any unexplained processes or services. If a compromise is suspected, activate your incident response plan immediately.
  4. Implement Compensating Controls
    If immediate patching is not feasible for operational reasons, consider deploying compensating controls as a temporary measure. A properly configured Web Application Firewall (WAF) in front of the EMS server may be able to detect and block generic SQL injection attempts, though this is not a substitute for patching.

The emergence of CVE-2024-35616 is a stark reminder of the risks associated with centralized management platforms. While they offer significant operational benefits, their compromise can have devastating consequences. Prioritizing the immediate application of the available hotfix is the only effective way to neutralize this active threat.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// FAQ

What is CVE-2024-35616?

It is a critical SQL injection vulnerability affecting Fortinet's FortiClient Enterprise Management Server (EMS). It allows an unauthenticated attacker to execute code remotely on the server, leading to a full compromise.

Which FortiClient EMS versions are affected?

The vulnerability affects FortiClient EMS versions 7.0.1 through 7.0.10 and 7.2.0 through 7.2.2.

Is this vulnerability being actively exploited?

Yes. Both Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that CVE-2024-35616 is being actively exploited in the wild.

What is the most important action I need to take?

You should immediately upgrade your FortiClient EMS instance to a patched version, which are hotfix builds 7.0.11 or 7.2.3 (or newer). You should also verify that your EMS server is not unnecessarily exposed to the public internet.

Is a hotfix different from a regular patch?

Yes. A hotfix is a targeted, out-of-band update released quickly to address a critical security issue. A full patch is typically integrated into a standard, scheduled software update. For this issue, applying the hotfix is the correct and urgent course of action.

// SOURCES

// RELATED

Anatomy of a failed budget cut: When the White House tried to defund America’s cyber defense
vulnerabilities

Anatomy of a failed budget cut: When the White House tried to defund America’s cyber defense

In 2020, the White House proposed a $707 million cut to CISA's budget, sparking bipartisan backlash and a debate on U.S. cyber readiness.

6 min readApr 8
Flowise AI agent builder under active CVSS 10.0 RCE exploitation; 12,000+ instances exposed
vulnerabilities

Flowise AI agent builder under active CVSS 10.0 RCE exploitation; 12,000+ instances exposed

A critical CVSS 10.0 remote code execution vulnerability in the Flowise AI platform is under active attack, exposing over 12,000 instances to complete

5 min readApr 7
BlueHammer zero-day leak puts Windows users at risk after researcher-Microsoft dispute
vulnerabilities

BlueHammer zero-day leak puts Windows users at risk after researcher-Microsoft dispute

A disgruntled researcher has leaked “BlueHammer,” a Windows zero-day exploit, after a dispute with Microsoft, enabling attackers to gain full SYSTEM c

6 min readApr 7
First stalkerware maker prosecuted since 2014 receives no jail time
vulnerabilities

First stalkerware maker prosecuted since 2014 receives no jail time

Bryan Fleming, founder of pcTattletale, was fined $5,000 with no jail time, a lenient sentence that experts say fails to deter the harmful stalkerware

6 min readApr 7