A critical security vulnerability, identified as CVE-2023-48788, is an SQL injection flaw with a CVSS score of 9.3, allowing unauthorized code execution through specially crafted data packets.

Cyber actors have exploited this vulnerability to install remote desktop software such as AnyDesk and ScreenConnect on compromised systems.

Initially, attackers leveraged CVE-2023-48788 to gain access, subsequently installing ScreenConnect for remote access, and then uploading additional payloads for lateral movement and network enumeration.

These attacks, reported by Kaspersky in December 2024, targeted a Windows server of an unnamed company that had two open ports associated with Fortinet FortiClient EMS.

The compromised system utilized Fortinet technology to provide employees with secure VPN access by downloading specific policies to their devices.

The cyber campaign has impacted various companies across multiple countries, including Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E.

Notable tools deployed during the attack included webbrowserpassview.exe, Mimikatz, netpass64.exe, and netscan.exe, which are used for password recovery and network scanning.

This incident follows a similar attack campaign identified by Forescout in April 2024, highlighting a trend of evolving attack techniques aimed at deploying remote access tools.

Kaspersky also reported attempts on October 23, 2024, to further weaponize CVE-2023-48788 by executing a PowerShell script to scan for vulnerable systems.