CVE-2026-21643: SQL Injection Bug in FortiClient EMS Under Active Attack

Published Date: April 1, 2026

Category: ShadowOpsIntel

On March 31, 2026, the axios npm package, one of the most popular JavaScript HTTP clients with over 100 million weekly downloads, was compromised in a sophisticated supply chain attack. This incident involved a hijacked maintainer account and the distribution of a cross-platform Remote Access Trojan (RAT).

Severity: Critical

Vulnerability Summary

CVE: CVE-2026-21643
CVSS Score: 9.1
Vulnerability Type: Pre-authentication SQL Injection
Affected Version: FortiClient EMS 7.4.4 only
Fixed Version: 7.4.5+
Description:
- The vulnerability was introduced during a refactoring of the middleware stack and database connection layer in version 7.4.4.
- When multi-tenant mode (SITES_ENABLED) is active, a Site HTTP header is used to determine the tenant context. The value of this header is passed directly into a format-string interpolated SQL query (SET search_path TO ‘{site}’) without sanitization or character filtering.
- The SiteMiddleware that processes this header executes before the AuthMiddleware, allowing the injection to occur prior to any login check.

Exploitation

Attack Vector: Network-based; requires no credentials if the EMS web interface is reachable over HTTPS.
Reconnaissance: Attackers can determine if a target is vulnerable by querying the publicly accessible GET /api/v1/init_consts endpoint to check if SITES_ENABLED is true.
Attack Chain
- Fingerprint → GET /api/v1/init_consts. Check SITES_ENABLED in JSON response (no auth)
- Confirm → Inject pg_sleep(N) via Site header on init_consts. ~10s response delta confirms blind timing injection
- Extract → Inject CAST(()::text AS int) via Site header. PostgreSQL type-error leaks query result in HTTP 500 body

What An Attacker Can Achieve

Capability	Detail
Remote Code Execution	PostgreSQL runs as superuser in Fortinet’s shipped VM image; COPY … TO/FROM PROGRAM enables OS-level command execution as the postgres system user
Credential Theft	Admin password hashes, API tokens, JWT secrets
Endpoint Inventory	Full fleet data: hostnames, IPs, OS versions, serial numbers, installed software
Configuration Tampering	Modify endpoint policies and security profiles pushed to all managed clients
Certificate Extraction	ZTNA certs and SAML config — enables lateral movement into broader Fortinet infrastructure
Persistence	Create or modify admin accounts for durable access

Indicators Of Compromise

Apache access logs (/var/log/apache2/):

Anomalously slow responses (5–20s+) on /api/v1/init_consts or /api/v1/auth/signin
HTTP 500 responses on /api/v1/init_consts (normally always HTTP 200)
Rapid repeated requests to init_consts from a single source IP with mixed 200/500 codes

PostgreSQL error logs (default log_min_error_statement = ERROR):

SET search_path statements containing single quotes, semicolons, or SQL keywords (SELECT, UNION, pg_sleep, COPY)
Any search_path value not matching the expected fcm_ pattern

Recommendations

Upgrade affected FortiClient EMS to version 7.4.5 or later.
If immediate patching is not possible, the following steps can eliminate the attack surface:
• Disable Multi-Tenant Mode: If your organization does not require multiple virtual domains (vdoms), disabling multi-tenant mode (SITES_ENABLED=False) prevents the vulnerable code path from executing.
• Limit HTTPS access to the EMS web interface (port 443) to trusted internal IP addresses or administrative VPNs only.
Implement WAF rules to strip/validate Site header and block single quotes, semicolons, SQL keywords.

Source:

https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
https://www.linkedin.com/feed/update/urn:li:activity:7443678408401756160/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.