CVE-2023-48788: 
FortiClient EMS vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2023-48788) was discovered in Fortinet FortiClientEMS that affects versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. The vulnerability allows an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. The vulnerability has been assigned a CVSSv3 score of 9.3 and is currently being exploited in the wild (Fortiguard PSIRT).

The vulnerability (CVE-2023-48788) is an improper neutralization of special elements used in SQL commands (SQL Injection) [CWE-89] in the DAS component of FortiClientEMS. The vulnerability exists in binary components written in C++ and Golang, compiled for 64-bit x86 Windows targets, using a custom linefeed-based protocol. The exploitation involves manipulating SQL commands through XP_CMDSHELL to achieve remote code execution (Horizon3).

The successful exploitation of this vulnerability allows attackers to execute unauthorized code or commands on the affected systems. This can lead to complete system compromise, as the vulnerability provides attackers with the ability to execute arbitrary commands through SQL injection (Fortiguard PSIRT).

Fortinet has released patches to address this vulnerability. Organizations should upgrade FortiClientEMS version 7.2.x to version 7.2.3 or above, and version 7.0.x to version 7.0.11 or above. Additionally, an IPS signature named 'FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection' is available in FMWP db update 27.750 to help detect and prevent exploitation attempts (Fortiguard PSIRT).