@InfosecHitchens No mention if Fortigate IDP on the inbound connection to a public-facing FortiClientEMS would stop the attack vector.
Or, what about the cloud-service for FortiClientEMS Cloud found at forticlient.forticloud[.]com/ems
Each customer should be an isolated instance. What does root get an attacker? A Windows box? A nerfed Linux VM? Nothing?
I think these instances must be upgraded by Fortinet in a maintenance window. A customer cannot un-publish the service from the internet.
@InfosecHitchens I think you misunderstood. The cloud-based EMS is always published to the public internet. A customer cannot block access or un-publish it because they don't have control.
If you had on-prem Exchange, you could block internet access by a firewall rule until you patched. Or, filter inbound traffic through IDP and application filters.
With 'cloud', the customer no longer controls the firewall or the server on the back-end. So, their environment is always left exposed to the internet unless/until the provider patches the environment or performs some other sort of action to block access.
InfoSec Hitchens
hal8999