This report details an ongoing exploitation campaign utilizing the recently disclosed CVE-2023-48788 vulnerability in Fortinet’s FortiClient EMS solution. The actors behind this campaign are actively scanning for vulnerable systems and attempting to gain initial access by exploiting this vulnerability. Once successful, they deploy remote management tools like ScreenConnect and malicious scripts to maintain persistence and execute further malicious activities within the compromised networks. Evidence suggests a potential threat actor has been active since at least 2022, targeting Fortinet appliances and leveraging infrastructure with Vietnamese and German language elements. The report provides technical details, indicators of compromise (IoCs), and mitigation recommendations related to this ongoing campaign.

Click for details.