Publicly Disclosed: Bishop Fox Reveals Critical Pre-Auth SQL Injection in FortiClient EMS
Do Son 
Cybersecurity researchers at Bishop Fox have released a technical deep-dive into a critical vulnerability affecting FortiClient EMS, Fortinet’s centralized management solution for endpoint security. The flaw allows a completely unauthenticated attacker to execute arbitrary SQL commands, potentially leading to a total takeover of the management server and its managed endpoints.
The vulnerability, tracked as CVE-2026-21643, carries a critical CVSS score of 9.1.
The security gap was introduced during a refactor of the middleware stack and database connection layer in version 7.4.4. While the update was intended to evolve the platform’s multi-tenancy features, it inadvertently created a path for unsanitized user input to reach the core database.
The “Site” HTTP header, used to identify which tenant a request belongs to, is the primary vector for the attack. Because this processing happens before any login check, it creates a “zero-click” exploit scenario.
As the Bishop Fox analysis explains:
“The HTTP header used to identify which tenant a request belongs to is now passed directly into a database query without sanitization, and this happens before any login check“.
A single, crafted HTTP request is all it takes to trigger the injection against the backing PostgreSQL database. Once an attacker achieves arbitrary SQL execution, the “blast radius” covers nearly every sensitive asset within the EMS environment.
Successful exploitation grants access to:
- Administrator Credentials: Stealing hashes or plain-text credentials for EMS admins.
- Endpoint Inventory: Viewing a complete map of all managed devices on the network.
- Security Policies: Modifying or disabling the security rules that protect the fleet.
- Digital Certificates: Accessing certificates used to authenticate and manage endpoints.
For organizations concerned about active exploitation, Bishop Fox notes that standard error logs may not tell the whole story. Attackers often use “time-based” injection (using functions like pg_sleep()) to verify the vulnerability without triggering a database error.
“Successful time-based injection via pg_sleep() does not produce a PostgreSQL error and will not appear in the error log under default settings“.
To uncover this activity, researchers suggest temporarily enabling full statement logging (log_statement = ‘all’), though they warn of significant performance overhead.
The vulnerability specifically impacts FortiClient EMS 7.4.4 when multi-tenant mode is enabled. Single-site deployments are currently reported as not affected.
Critical Security Actions:
- Patch Immediately: Upgrade to FortiClient EMS 7.4.5 or later. This version replaces vulnerable string interpolation with proper parameterization.
- Restrict Web Access: Limit HTTPS access to the EMS web GUI to authorized management networks only.
- Disable Multi-Tenancy: If the “Sites” feature is not required, disabling it makes the vulnerable code unreachable.
- WAF Protection: Deploy Web Application Firewall rules to strip or validate the “Site” header, specifically blocking SQL keywords and semicolons.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
