TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Bishop Fox

Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

2026-03-09 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
98%
"pre - authentication sql injection in forticlient ems 7. 4. 4 - cve - 2026 - 21643 tl ; dr : bishop fox researchers expanded on fortinet ’ s disclosure of cve - 2026 - 21643 by identifying practical exploitation paths. our analysis shows attackers can abuse the publicly accessibl…"
T1190Exploit Public-Facing Application
88%
"organizations running forticlient ems should verify their version and sites _ enabled status ( accessible pre - auth via get / api / v1 / init _ consts as described in the exploitation section ), and upgrade to 7. 4. 5 or later. if immediate patching is not possible, restricting …"
T1190Exploit Public-Facing Application
87%
"phase 4 : root cause confirmation. decompiled the full middleware stack ( sitemiddleware, authmiddleware, bruteforceprotectionmiddleware, apilogmiddleware ) to map the request processing chain and confirm that sitemiddleware executes before authentication. phase 5 : lab reproduct…"
T1190Exploit Public-Facing Application
75%
"_ middleware. pyc ), adding several new middlewares ( auth _ middleware, api _ log _ middleware, ems _ common _ middleware, error _ handling _ middleware, rate _ limit _ middleware ), and modifying the database connection layer in postgres _ conn. py. this refactoring changed how…"
T1190Exploit Public-Facing Application
74%
"injectable, with no brute force lockout, a clean 1x timing multiplier, and postgresql error details leaked in the http 500 response body, enabling error - based data extraction. phase 7 : detection tooling. developed a poc script targeting init _ consts for both timing - based de…"
T1190Exploit Public-Facing Application
72%
"via semicolon separation ), error - based extraction ( cast errors leaking data in http responses, confirmed oninit _ consts ), and blind boolean extraction ( conditionalpg _ sleep ( ) for bit - by - bit data exfiltration as a fallback ). impact assessment a successful exploit gr…"
T1190Exploit Public-Facing Application
72%
"searchpath = sql ( ' set search _ path to { }, public, addons ' ). format ( identifier ( schema ) ) psycopg. sql. identifier ( ) properly double - quotes and escapes the schema name, preventing breakout regardless of the input value. exploitation disclaimer : this research was co…"
T1190Exploit Public-Facing Application
70%
"_ prefix } { self. db _ name } ', public, addons " def execute ( self, query,... ) : self. _ connection. execute ( self. searchpath ) # runs before every query the format - string interpolation embeds the unsanitized vdom value directly into a sql statement that executes on every…"
T1190Exploit Public-Facing Application
45%
"tampering. modification of endpoint policies, deployment configurations, and security profiles pushed to managed endpoints. - certificate extraction. access to ztna certificates and saml configuration data, potentially enabling lateral movement into connected fortinet infrastruct…"
T1190Exploit Public-Facing Application
32%
"##tectionmiddleware ( default 3 attempts before lockout ), butinit _ consts has no such restriction. an attacker with knowledge of theinit _ consts vector can extract data without triggering any lockout. - error - based extraction. the init _ consts endpoint returns postgresql er…"

Summary

FortiClient EMS 7.4.4 contains a pre-authentication SQL injection vulnerability (CVSS 9.1) in its multi-tenant site routing middleware. An unauthenticated attacker can inject arbitrary SQL by sending a crafted Site HTTP header to any pre-auth endpoint.