Fortinet races to patch critical EMS flaw as attackers exploit it in the wild

Background: An emergency patch for an active threat

Fortinet has issued an urgent, out-of-band security update to address a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software. The flaw, tracked as CVE-2024-35616, is a severe format string bug that allows an unauthenticated attacker to execute code remotely with the highest system privileges. Compounding the severity, both Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have confirmed that threat actors are actively exploiting this vulnerability in the wild.

The emergency patch, released over the weekend of June 20, 2024, underscores the immediate danger posed to organizations. FortiClient EMS is a centralized management platform used by enterprises to deploy, manage, and monitor FortiClient endpoints, which provide services like antivirus, web filtering, and remote access. A compromise of the central EMS server gives an attacker a powerful foothold to potentially control an organization's entire fleet of managed endpoints.

In response to the active exploitation, CISA promptly added CVE-2024-35616 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating that U.S. federal agencies apply the patch by July 12, 2024. This action serves as a strong signal to all organizations, public and private, to prioritize remediation immediately.

Technical deep dive: A classic bug with modern consequences

At its core, CVE-2024-35616 is a format string vulnerability. This class of bug, often found in C/C++ applications, occurs when the software improperly handles user-supplied input as part of a format string specifier in functions like printf(). An attacker can craft special character sequences (e.g., %s, %x, %n) that, when processed by the vulnerable function, can be used to read from or write to arbitrary memory locations. In the worst-case scenario, this leads to arbitrary code execution.

According to Fortinet's advisory (FG-IR-24-219), the vulnerability resides within a logging mechanism of the FortiClient EMS installer. The key aspects that make this flaw so dangerous are:

• Attack Vector: The attack is remote and requires no authentication. An adversary on the internet can target any publicly exposed FortiClient EMS instance without needing valid credentials.
• Privilege Escalation: Successful exploitation results in remote code execution (RCE) with SYSTEM-level privileges on the underlying Windows server. This is the highest level of access, granting the attacker complete control over the machine.
• CVSS Score: The vulnerability has been assigned a CVSS score of 9.8 out of 10, reflecting its critical nature, low attack complexity, and high impact on confidentiality, integrity, and availability.

Affected and patched versions

Administrators must check their deployments against the following list of affected versions and upgrade to the corresponding patched release immediately:

• FortiClient EMS 7.2 branch: Versions 7.2.0 through 7.2.2 are vulnerable. Upgrade to 7.2.3 or later.
• FortiClient EMS 7.0 branch: Versions 7.0.1 through 7.0.10 are vulnerable. Upgrade to 7.0.11 or later.
• Older unsupported branches (6.x) also have patches available, and customers are strongly advised to upgrade.

Impact assessment: A gateway to the enterprise network

The impact of a successful exploit against CVE-2024-35616 is severe and far-reaching. Because FortiClient EMS is a trusted central management server, its compromise can unravel an organization's endpoint security posture.

An attacker who gains SYSTEM-level access to the EMS server can:

• Establish a persistent foothold: The compromised server becomes a beachhead within the network, allowing the attacker to establish persistence and plan further attacks.
• Pivot and move laterally: From the EMS server, attackers can scan the internal network, identify other vulnerable systems, and move laterally to access high-value assets like domain controllers, databases, and file servers.
• Control all managed endpoints: The attacker could potentially use the EMS's legitimate administrative functions to deploy malware, disable security features (like antivirus or web filtering), or exfiltrate data from thousands of managed endpoints across the organization. This turns a single server compromise into a potential fleet-wide incident.
• Exfiltrate sensitive data: Any sensitive configuration data, credentials, or organizational information stored on or accessible from the EMS server is at risk of being stolen.

This incident follows a troubling pattern of threat actors targeting internet-facing management infrastructure. Security appliances and management consoles from various vendors have become prime targets for initial access operations by both cybercriminal groups and nation-state actors. They are often less monitored than production servers, have high privileges, and provide a direct path into the corporate network.

How to protect yourself: Actionable steps for administrators

Given the active exploitation, immediate and decisive action is required. Organizations using FortiClient EMS should follow these steps without delay.

1. Patch immediately

The primary and most effective defense is to apply the security updates provided by Fortinet. Do not wait for a scheduled maintenance window. The risk of compromise is high and ongoing. Upgrade to the patched versions outlined in Fortinet's advisory, such as 7.2.3 or 7.0.11.

2. Hunt for signs of compromise

Since the vulnerability is being exploited, organizations must assume they may have already been targeted. It is essential to review logs and system activity on FortiClient EMS servers for any signs of compromise. While Fortinet has not released specific Indicators of Compromise (IOCs), security teams should look for:

• Unusual processes or services running on the server, especially those spawned by the EMS services.
• Unexpected outbound network connections from the EMS server to unknown IP addresses.
• Newly created user accounts on the server or within the domain.
• Suspicious log entries or evidence of log tampering.
• Any modifications to endpoint security policies within the EMS console that were not made by authorized administrators.

3. Implement temporary mitigations if patching is delayed

If patching cannot be performed instantly, the immediate priority is to reduce the attack surface. Fortinet recommends restricting access to the FortiClient EMS administrative interface. Use a firewall or network access control lists (ACLs) to ensure that only trusted IP addresses from within your management network can connect to the server. This prevents attackers on the broader internet from reaching the vulnerable service.

4. Enhance network security and monitoring

This incident highlights the importance of a defense-in-depth strategy. Ensure that critical management servers like FortiClient EMS are placed in a secure network segment with strict ingress and egress filtering. Enhancing the security of remote connections with a trusted VPN service can also add a layer of protection for administrative access. Continuously monitor network traffic to and from these servers for anomalous patterns that could indicate an attempted or successful attack.

The rapid weaponization of CVE-2024-35616 is a stark reminder that the window between vulnerability disclosure and active exploitation is shrinking. Proactive vulnerability management, rapid patching, and vigilant monitoring are not just best practices; they are essential for survival.