Cyber Resilience

CVE-2023-48788

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 12 March 2024

Published
12 March 2024
Modified
24 October 2025
KEV Added
25 March 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9408 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48788 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Forticlient Enterprise Management Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-48788 is an SQL injection vulnerability (CWE-89) present in Fortinet FortiClientEMS versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. The flaw stems from improper neutralization of special elements in SQL commands and can be triggered by specially crafted packets, enabling execution of unauthorized code or commands. It carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send malicious packets to an affected FortiClientEMS instance and obtain full control over the underlying database and host, potentially leading to data exfiltration, privilege escalation, or further lateral movement within the management environment.

The Fortinet advisory FG-IR-24-007 recommends applying the vendor-supplied patches or mitigations for the listed FortiClientEMS releases. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EPSS scores have remained consistently high, with a peak of 0.9679 and current value of 0.9408, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

CWE(s)
KEV Date Added
25 March 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
forticlient enterprise management server
7.0.1 — 7.0.11 · 7.2.0 — 7.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to block the specially crafted SQL payloads that enable this injection.

prevent

Mandates timely application of vendor patches that remediate the improper neutralization flaw in FortiClientEMS.

prevent

Enforces boundary protections that can restrict unauthenticated network access to the vulnerable EMS service before crafted packets reach it.

References