Versions (2)
Version DetailsCurrent
Rev: 1 • Dec 19, 2024, 12:00 PMET EXPLOIT Fortinet FortiClient EMS SQL Injection (CVE-2023-48788)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortinet FortiClient EMS SQL Injection (CVE-2023-48788)"; flow:established,to_server; content:"MSG_HEADER|3a 20|FCTUID|3d|"; fast_pattern; startswith; pcre:"/^[^\x0a]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive; reference:cve,2023-48788; classtype:attempted-admin; sid:2058432; rev:1; metadata:affected_product FortiClient_EMS, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_19, cve CVE_2023_48788, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Dec 19, 2024, 12:00 PM
Dec 19, 2024, 12:00 PM
Dec 19, 2024, 9:34 PM
Dec 19, 2024, 9:34 PM
rules/emerging-exploit.rules