Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical security flaws affecting Adobe ColdFusion, Fortinet FortiClientEMS, Microsoft Exchange Server, and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog. This designation confirms that active exploitation of these vulnerabilities has been observed in the wild.
For defenders, this is not a theoretical risk. Under Binding Operational Directive (BOD) 22-01, federal agencies are required to patch these vulnerabilities by specific deadlines. For private sector organizations, these additions serve as a critical prioritization signal: if you run these platforms, you are currently a target.
This analysis focuses on the most critical operational risks in this batch: the Microsoft Exchange Server SSRF (CVE-2024-26234) and the Fortinet FortiClientEMS SQL Injection (CVE-2023-48788).
Technical Analysis
Microsoft Exchange Server (CVE-2024-26234)
- Vulnerability Type: Server-Side Request Forgery (SSRF)
- Affected Versions: Microsoft Exchange Server 2013, 2016, and 2019.
- CVSS Score: 8.8 (High)
- Exploitation Status: Confirmed Active Exploitation (CISA KEV)
Defender's Breakdown: This vulnerability exists in the Exchange Server Core (Outlook on the web). An authenticated attacker can send a specially crafted HTTP request to the Exchange server, forcing it to send arbitrary requests to internal services.
While SSRF is often viewed as an "information leak," in the context of an Exchange environment, it is a precursor to full system compromise. Attackers chain SSRF to:
- Bypass network segmentation and access internal management APIs.
- Steal NTLM hashes via relaying attacks to internal hosts (e.g., LDAP, SMB).
- Potentially trigger remote code execution (RCE) if combined with other deserialization flaws.
Fortinet FortiClientEMS (CVE-2023-48788)
- Vulnerability Type: SQL Injection
- Affected Versions: FortiClientEMS 7.2.0 through 7.2.3 and 7.0.1 through 7.0.10.
- CVSS Score: 9.8 (Critical)
- Exploitation Status: Confirmed Active Exploitation (CISA KEV)
Defender's Breakdown:
FortiClientEMS (Endpoint Management System) is a centralized console for managing Fortinet endpoints. This flaw stems from improper neutralization of special elements in an SQL command (FGFAbortAgentTask interface).
An unauthenticated, remote attacker can send malicious SQL queries to the listening API port (typically TCP 8013 or 443). Successful exploitation allows the attacker to execute arbitrary code on the underlying Windows server with SYSTEM privileges. This effectively gives the attacker full control over the management plane, allowing them to deploy malware to all managed endpoints or pivot laterally into the internal network.
Other Noted Additions
- Adobe ColdFusion (CVE-2024-20712): A Deserialization vulnerability leading to Arbitrary Code Execution. This is a high-priority target for internet-facing web servers.
- Windows Mark of the Web (CVE-2024-26169): A security feature bypass. While less critical than RCE, it is often used in phishing chains to evade SmartScreen protections.
Detection & Response
SIGMA Rules
---
title: Potential Exchange Server Web Shell via SSRF Exploitation
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects suspicious process execution patterns often associated with web shell activity following Exchange exploitation. Looks for cmd.exe or powershell.exe spawned by the IIS worker process.
references:
- https://msrc.microsoft.com/advisory
author: Security Arsenal
date: 2024/04/17
tags:
- attack.initial_access
- attack.web_shell
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
filter:
User|contains: 'IIS APPPOOL'
# Standard IIS operations sometimes run system commands, but rare for high-privilege shells
CommandLine|contains:
- 'appcmd'
- 'bypass'
condition: selection and not filter
falsepositives:
- Legitimate administrative scripts run via IIS
level: high
---
title: Fortinet FortiClientEMS SQL Injection Exploitation Activity
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects potential exploitation of CVE-2023-48788 by looking for shell execution spawned by the FortiClientEMS Java service.
references:
- https://www.fortiguard.com/psirt/FG-IR-23-260
author: Security Arsenal
date: 2024/04/17
tags:
- attack.initial_access
- attack.t1190
- cve.2023.48788
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\FCTEMS\'
ParentImage|endswith: '\java.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\whoami.exe'
condition: selection_parent and selection_child
falsepositives:
- Administrative debugging on the EMS server
level: critical
KQL (Microsoft Sentinel / Defender)
// Hunt for Exchange suspicious process spawns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where ProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| extend RiskScore = iff(InitiatingProcessCommandLine contains "Microsoft Exchange", 1, 0)
| order by Timestamp desc
// Hunt for Fortinet EMS SQLi/RCE indicators
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFolderPath contains "FCTEMS"
| where ProcessFileName in ("cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Exchange worker processes spawning shells
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "w3wp.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")
AND Exe NOT =~ "Windows\\System32\\inetsrv"
-- Hunt for Fortinet EMS Service (Java) spawning shells
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "java.exe"
AND Name IN ("cmd.exe", "powershell.exe")
AND Parent.Exe =~ "FCTEMS"
Remediation Script (PowerShell)
<#
.SYNOPSIS
Checks Exchange Server version against vulnerable builds for CVE-2024-26234.
.DESCRIPTION
This script queries the local Exchange Server for the product version and compares
it against the security update table provided by Microsoft.
#>
function Test-ExchangeVulnerability {
$ExSetupPath = "$env:ExchangeInstallPath\bin\ExSetup.exe"
if (-not (Test-Path $ExSetupPath)) {
Write-Host "[-] Exchange Setup binary not found. Is this an Exchange Server?"
return
}
$VersionInfo = (Get-Item $ExSetupPath).VersionInfo.FileVersion
Write-Host "[*] Current Exchange Version: $VersionInfo"
# Minimum secure versions based on MSRC advisory for CVE-2024-26234
$SecureVersions = @{
"2013" = "15.00.1497.042"
"2016" = "15.01.2507.025"
"2019" = "15.02.1118.029"
}
# Determine Major Version
if ($VersionInfo -like "15.00.*") { $CurrentMajor = "2013" }
elseif ($VersionInfo -like "15.01.*") { $CurrentMajor = "2016" }
elseif ($VersionInfo -like "15.02.*") { $CurrentMajor = "2019" }
else {
Write-Host "[-] Unsupported Exchange Version detected."
return
}
if ([version]$VersionInfo -lt [version]$SecureVersions[$CurrentMajor]) {
Write-Host "[!] VULNERABLE: Build is older than the secure baseline ($($SecureVersions[$CurrentMajor]))."
Write-Host "[!] Action: Install the latest Cumulative Update immediately."
} else {
Write-Host "[+] SECURE: Build meets or exceeds the security patch baseline."
}
}
Test-ExchangeVulnerability
Remediation
Microsoft Exchange Server (CVE-2024-26234)
- Patch Immediately: Apply the latest Cumulative Update (CU) or Security Update (SU).
- Exchange Server 2019: Update to CU13 or later (build 15.02.1118.029+).
- Exchange Server 2016: Update to CU23 or later (build 15.01.2507.025+).
- Exchange Server 2013: Update to CU23 or later (build 15.00.1497.042+).
- Workaround: If patching is delayed, restrict access to the
/autodiscoverand/owavirtual directories from the internet using a VPN or WAF with strict signature enforcement. - Official Advisory: Microsoft Security Update Guide
- CISA Deadline: Federal agencies must apply updates by May 7, 2024.
Fortinet FortiClientEMS (CVE-2023-48788)
- Patch Immediately: Upgrade to the latest firmware.
- FortiClientEMS 7.2.x: Upgrade to 7.2.4 or later.
- FortiClientEMS 7.0.x: Upgrade to 7.0.11 or later.
- Network Segmentation: Ensure the management interface (TCP 8013, TCP 443) is not accessible from the internet. Restrict access to specific management subnets.
- Official Advisory: Fortinet PSIRT Advisory FG-IR-23-260
- CISA Deadline: Federal agencies must apply updates by May 7, 2024.
Adobe ColdFusion (CVE-2024-20712)
- Remediation: Update to ColdFusion 2023 Update 5, 2021 Update 11, or 2018 Update 18 and later.
- Workaround: If patching is not possible, restrict access to the ColdFusion Administrator interface and debug ports to trusted internal IPs only.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.