By rssfeeds-admin 
Tracked as CVE-2026-21643, the flaw carries a high CVSS score of 9.1 and allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to full database compromise.
The vulnerability affects FortiClient EMS version 7.4.4 and is particularly dangerous because it can be exploited before authentication.
This means attackers do not need valid credentials to take advantage of the flaw. Instead, they can directly interact with the exposed web interface and send specially crafted requests to manipulate backend database queries.
The root cause of the issue lies in a flawed code update introduced during a major middleware refactor in version 7.4.4.
This middleware is responsible for handling communication between web requests and the backend PostgreSQL database.
According to security researchers at Bishop Fox, the application improperly processes the HTTP “Site” header, which is used to identify tenant environments in multi-tenant setups.
Instead of validating or sanitizing user input, the application directly inserts the raw header value into a SQL query that defines the database search path. This unsafe behavior creates a classic SQL injection condition.
Since the database connection is established before authentication checks, attackers can exploit the flaw by sending a single malicious request to the exposed endpoint “/api/v1/init_consts.”
This endpoint further worsens the risk because it lacks rate limiting and returns verbose database error messages.
Attackers can use these error messages to perform error-based SQL injection, allowing them to extract sensitive data quickly without relying on slower blind techniques.
Successful exploitation gives attackers database administrator-level privileges. This access can be used to extract administrative credentials, retrieve security certificates, and enumerate all managed endpoints, including IP addresses and installed applications.
In more severe cases, the database’s elevated privileges may allow attackers to execute system-level commands, potentially leading to full server compromise and lateral movement within the network.
Despite its severity, the vulnerability has a limited scope. It only affects version 7.4.4 when the multi-tenant “Sites” feature is enabled.
Other versions, including older releases and the newer 8.0 branch, are not impacted due to differences in architecture.
Fortinet addressed the issue in version 7.4.5 by implementing proper input sanitization for the HTTP header. Organizations using the vulnerable version are strongly advised to upgrade immediately.
For detection, security teams should analyze Apache access logs for unusual patterns, such as repeated requests to “/api/v1/init_consts,” long response times, or spikes in HTTP 500 errors.
As a temporary mitigation, disabling the multi-tenant feature or restricting external access to the EMS interface can help reduce exposure until patching is complete.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical FortiClient SQL Injection Flaw Allows Unauthorized Database Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.