Critical FortiClient SQL Injection Vulnerability Enables Arbitrary Database Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical SQL injection vulnerability<\/a> in Fortinet\u2019s FortiClient Endpoint Management Server (EMS). Tracked as CVE-2026-21643<\/a>, this severe flaw carries a CVSS score of 9.1. It allows unauthenticated attackers to execute arbitrary SQL commands and access sensitive database information.<\/p>\n The issue specifically affects FortiClient EMS version 7.4.4 when multi-tenant mode is active. The root cause stems from a major middleware refactoring in version 7.4.4. Developers changed how the application handles database connections and tenant routing.<\/a><\/p>\n During this update, they introduced a flaw in the database connection file that passes the HTTP\u00a0Site header directly into a PostgreSQL\u00a0 Because the application middleware does not validate or sanitize this header, attackers can bypass the intended format string and run their own malicious database queries.<\/p>\n Furthermore, this vulnerable middleware runs before any authentication checks<\/a>. Exploiting this weakness requires no valid login credentials. Hackers can send a crafted web request to the server over HTTPS.<\/p>\n Bishop Fox researchers found that the publicly accessible Attackers can first use this endpoint to confirm if the multi-tenant flag is active. If the mode is on, they can inject SQL payloads via the\u00a0Site\u00a0header.<\/p>\n This specific endpoint lacks rate limiting and brute-force lockout protections<\/a>. More importantly, it directly returns PostgreSQL database error messages in the HTTP response body.<\/p>\n This design flaw allows attackers to rapidly extract hidden data using error-based extraction methods in just a single request, bypassing the need for slower time-based injection.<\/p>\n A successful attack results in total compromise of the management database. Because the database user in the Fortinet virtual machine runs with PostgreSQL superuser privileges<\/a>, attackers can achieve remote code execution on the underlying host operating system.<\/p>\n They can also steal administrator passwords, extract digital certificates<\/a>, and view the complete inventory of managed devices.<\/p>\n This level of access lets threat actors modify security policies and push malicious configurations across an organization\u2019s entire network of endpoints.<\/p>\n This aligns with the broader trend of targeting network edge and management appliances<\/a>, which threat actors highly value.\u200b<\/p>\n Indicators of compromise include unusually long response times (5-20+ seconds) on\u00a0 Another indicator is repeated HTTP 500 responses from a single IP address on the\u00a0 Additionally, administrators should monitor PostgreSQL error logs for database\u00a0 Fortinet addressed this critical issue in version 7.4.5 by replacing format-string interpolation with parameterized identifier handling and securely escaping input.<\/p>\n Organizations using FortiClient EMS 7.4.4 should upgrade to version 7.4.5 immediately to mitigate the risk<\/p>\n Security firm Bishop Fox urges that teams<\/a> unable to apply the patch right away should disable the multi-tenant \u201cSites\u201d feature, as this prevents the vulnerable code path from being executed.<\/p>\n Additionally, administrators should restrict web access to the EMS management interface to trusted internal networks only.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical FortiClient SQL Injection Vulnerability Enables Arbitrary Database Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nsearch_path<\/code>\u00a0query.<\/p>\nFortiClient SQL Injection Vulnerability Details<\/strong><\/h2>\n
\u00a0\/api\/v1\/init_consts<\/code>\u00a0endpoint is the most practical attack vector.<\/p>\n\/api\/v1\/auth\/signin<\/code>\u00a0or\u00a0\/api\/v1\/init_consts<\/code>, as logged in Apache access logs.<\/p>\n\/api\/v1\/init_consts<\/code>\u00a0endpoint.<\/p>\nsearch_path<\/code>\u00a0statements that contain single quotes, semicolons, or SQL keywords such as\u00a0SELECT<\/code>.<\/p>\n