A critical SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS). Tracked as CVE-2026-21643, this severe flaw carries a CVSS score of 9.1. It allows unauthenticated attackers to execute arbitrary SQL commands and access sensitive database information.
The issue specifically affects FortiClient EMS version 7.4.4 when multi-tenant mode is active. The root cause stems from a major middleware refactoring in version 7.4.4. Developers changed how the application handles database connections and tenant routing.
During this update, they introduced a flaw in the database connection file that passes the HTTP Site header directly into a PostgreSQL search_path query.
Because the application middleware does not validate or sanitize this header, attackers can bypass the intended format string and run their own malicious database queries.
Furthermore, this vulnerable middleware runs before any authentication checks. Exploiting this weakness requires no valid login credentials. Hackers can send a crafted web request to the server over HTTPS.
Bishop Fox researchers found that the publicly accessible /api/v1/init_consts endpoint is the most practical attack vector.
Attackers can first use this endpoint to confirm if the multi-tenant flag is active. If the mode is on, they can inject SQL payloads via the Site header.
This specific endpoint lacks rate limiting and brute-force lockout protections. More importantly, it directly returns PostgreSQL database error messages in the HTTP response body.
This design flaw allows attackers to rapidly extract hidden data using error-based extraction methods in just a single request, bypassing the need for slower time-based injection.
A successful attack results in total compromise of the management database. Because the database user in the Fortinet virtual machine runs with PostgreSQL superuser privileges, attackers can achieve remote code execution on the underlying host operating system.
They can also steal administrator passwords, extract digital certificates, and view the complete inventory of managed devices.
This level of access lets threat actors modify security policies and push malicious configurations across an organization’s entire network of endpoints.
This aligns with the broader trend of targeting network edge and management appliances, which threat actors highly value.
Indicators of compromise include unusually long response times (5-20+ seconds) on /api/v1/auth/signin or /api/v1/init_consts, as logged in Apache access logs.
Another indicator is repeated HTTP 500 responses from a single IP address on the /api/v1/init_consts endpoint.
Additionally, administrators should monitor PostgreSQL error logs for database search_path statements that contain single quotes, semicolons, or SQL keywords such as SELECT.
Fortinet addressed this critical issue in version 7.4.5 by replacing format-string interpolation with parameterized identifier handling and securely escaping input.
Organizations using FortiClient EMS 7.4.4 should upgrade to version 7.4.5 immediately to mitigate the risk
Security firm Bishop Fox urges that teams unable to apply the patch right away should disable the multi-tenant “Sites” feature, as this prevents the vulnerable code path from being executed.
Additionally, administrators should restrict web access to the EMS management interface to trusted internal networks only.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
