On March 31, 2026, the axios npm package, one of the most popular JavaScript HTTP clients with over 100 million weekly downloads, was compromised in a sophisticated supply chain attack. This incident involved a hijacked maintainer account and the distribution of a cross-platform Remote Access Trojan (RAT).
Severity: Critical
Vulnerability Summary
- CVE: CVE-2026-21643
- CVSS Score: 9.1
- Vulnerability Type: Pre-authentication SQL Injection
- Affected Version: FortiClient EMS 7.4.4 only
- Fixed Version: 7.4.5+
- Description:
- The vulnerability was introduced during a refactoring of the middleware stack and database connection layer in version 7.4.4.
- When multi-tenant mode (SITES_ENABLED) is active, a Site HTTP header is used to determine the tenant context. The value of this header is passed directly into a format-string interpolated SQL query (SET search_path TO ‘{site}’) without sanitization or character filtering.
- The SiteMiddleware that processes this header executes before the AuthMiddleware, allowing the injection to occur prior to any login check.
Exploitation
- Attack Vector: Network-based; requires no credentials if the EMS web interface is reachable over HTTPS.
- Reconnaissance: Attackers can determine if a target is vulnerable by querying the publicly accessible GET /api/v1/init_consts endpoint to check if SITES_ENABLED is true.
- Attack Chain
- Fingerprint → GET /api/v1/init_consts. Check SITES_ENABLED in JSON response (no auth)
- Confirm → Inject pg_sleep(N) via Site header on init_consts. ~10s response delta confirms blind timing injection
- Extract → Inject CAST(()::text AS int) via Site header. PostgreSQL type-error leaks query result in HTTP 500 body
What An Attacker Can Achieve
| Capability | Detail |
| Remote Code Execution | PostgreSQL runs as superuser in Fortinet’s shipped VM image; COPY … TO/FROM PROGRAM enables OS-level command execution as the postgres system user |
| Credential Theft | Admin password hashes, API tokens, JWT secrets |
| Endpoint Inventory | Full fleet data: hostnames, IPs, OS versions, serial numbers, installed software |
| Configuration Tampering | Modify endpoint policies and security profiles pushed to all managed clients |
| Certificate Extraction | ZTNA certs and SAML config — enables lateral movement into broader Fortinet infrastructure |
| Persistence | Create or modify admin accounts for durable access |
Indicators Of Compromise
Apache access logs (/var/log/apache2/):
- Anomalously slow responses (5–20s+) on /api/v1/init_consts or /api/v1/auth/signin
- HTTP 500 responses on /api/v1/init_consts (normally always HTTP 200)
- Rapid repeated requests to init_consts from a single source IP with mixed 200/500 codes
PostgreSQL error logs (default log_min_error_statement = ERROR):
- SET search_path statements containing single quotes, semicolons, or SQL keywords (SELECT, UNION, pg_sleep, COPY)
- Any search_path value not matching the expected fcm_ pattern
Recommendations
- Upgrade affected FortiClient EMS to version 7.4.5 or later.
- If immediate patching is not possible, the following steps can eliminate the attack surface:
• Disable Multi-Tenant Mode: If your organization does not require multiple virtual domains (vdoms), disabling multi-tenant mode (SITES_ENABLED=False) prevents the vulnerable code path from executing.
• Limit HTTPS access to the EMS web interface (port 443) to trusted internal IP addresses or administrative VPNs only. - Implement WAF rules to strip/validate Site header and block single quotes, semicolons, SQL keywords.
Source:
- https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
- https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
- https://www.linkedin.com/feed/update/urn:li:activity:7443678408401756160/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.