CVE-2023-48788: Active Exploitation and PoC for Critical RCE in Fortinet FortiClientEMS Observed

Share :

On March 21, 2024, security researchers published a technical analysis along with a proof of concept (PoC) regarding the critical Remote Code Execution (RCE) vulnerability, CVE-2023-48788, in Fortinet’s FortiClientEMS. This vulnerability enables an unauthenticated threat actor to achieve RCE through the manipulation of SQL commands. 

Fortinet has stated that this vulnerability is under active exploitation. PoC exploit code is also now publicly available. While threat actors have not previously targeted FortiClientEMS, several other Fortinet products have been historically targeted such as FortiOS through CVE-2024-21762 and CVE-2024-23113 back in February 2024. 

Recommendation for CVE-2023-48788

Upgrade Fortinet FortiClientEMS to Fixed Version

Arctic Wolf strongly recommends upgrading Fortinet FortiClientEMS to the latest version 

Product  Affected Version  Fixed Version 
FortiClientEMS  7.2.0 to 7.2.2  7.2.3 or above 
7.0.1 to 7.0.10  7.0.11 or above 


Please follow your organization’s patching and testing guidelines to avoid operational impact. 


  1. Fortinet Security Advisory 
  2. CVE-2023-48788 Technical Analysis 
  3. CVE-2023-48788 PoC 
  4. AW Blog (CVE-2024-21762 & CVE-2024-23113) 

See other important security bulletins from Arctic Wolf.

Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter