"Our analysis shows attackers can abuse the publicly accessible /api/v1/init_consts endpoint to trigger the SQL injection before authentication. Because this endpoint returns database error messages and has no lockout protections, attackers can rapidly extract sensitive data from vulnerable FortiClient EMS 7.4.4 multi-tenant deployments."
"The issue was introduced in version 7.4.4 through a redesigned middleware stack and database connection layer that resulted in HTTP identification headers being passed to a database query without sanitization, before authentication."
"This enables an attacker to execute arbitrary SQL code against the database and access admin credentials, endpoint inventory, security policies, and endpoint certificates."
A critical-severity SQL injection vulnerability, tracked as CVE-2026-21643, has been exploited in Fortinet FortiClient EMS version 7.4.4. This flaw allows remote attackers to execute arbitrary code without authentication via crafted HTTP requests. The vulnerability was patched in version 7.4.5. Cybersecurity firm Bishop Fox reported that attackers can exploit the /api/v1/init_consts endpoint to extract sensitive data rapidly. The issue arose from a redesigned middleware stack that failed to sanitize HTTP identification headers before passing them to a database query.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]