FortiClient EMS Flaw Used to Steal Passwords

A critical flaw in FortiClient EMS has been exploited by cybercriminals to install a password-stealing program. This allows access to personal and work data, increasing the risk of fraud or identity theft for those who do not update the software. The lesson is clear: keeping programs up to date protects private information.

cybersecurity breach scene, FortiClient EMS server interface on a screen showing a critical vulnerability alert, a hacker's hand typing on a keyboard while malware code streams across a second monitor, digital padlock icon breaking apart into binary fragments, glowing red warning symbols, network cables connected to a compromised server rack, dark corporate server room with blue emergency lights, photorealistic technical illustration, dramatic shadows, high contrast lighting, data packets being intercepted mid-transmission, detailed hardware components visible

How the attack was executed and which vulnerability was exploited 🔐

The vulnerability, identified as CVE-2023-48788, allows SQL command injection into the EMS server database. Attackers took advantage of this to deploy a password stealer such as AsyncRAT or Agent Tesla. Once inside, they extract credentials stored in browsers and email clients. Fortinet released patches in December 2023, but the lack of updates in many organizations left the door open. The technical recommendation is to apply patch 7.2.2 or higher.

The patch no one wanted to install until it was too late ⚠️

It seems updating software is like going to the dentist: everyone puts it off until it hurts. In this case, the pain came in the form of stolen credentials and emptied bank accounts. Cybercriminals appreciate digital laziness; for them, every uninstalled patch is a dinner invitation. So you know: if you don't want to share your passwords with strangers, better click update before your password starts browsing on its own.