Fortinet's FortiClient Enterprise Management Server (EMS) has been hit by a severe SQL injection vulnerability, CVE-2026-21643, which could have devastating consequences for corporate networks. This pre-authentication flaw, with a near-maximum CVSS severity score of 9.1, allows unauthenticated attackers to execute arbitrary SQL commands and gain total control over the underlying database. The vulnerability specifically targets multi-tenant deployments of FortiClient EMS version 7.4.4, putting sensitive corporate network data at immediate risk.
The flaw stems from a problematic code update during the release of version 7.4.4, where Fortinet developers heavily refactored the software's middleware, connecting web requests to the database. A fatal error occurred regarding how the system handles the HTTP 'Site' header, which identifies different tenant environments. The flawed code takes the raw header value and feeds it directly into a PostgreSQL database query to set the search path, completely failing to sanitize the input. Crucially, this connection is established before the system even asks the user for a password.
This means that anyone who can reach the EMS web interface over the internet can exploit it. Attackers only need to send a single, carefully crafted web request to a publicly accessible endpoint, specifically the /api/v1/init_constspath. This endpoint is highly dangerous because it has no rate-limiting protections and openly returns database error messages directly in the web response. Using a technique called error-based extraction, attackers can manipulate these error messages to rapidly drain sensitive data from the server, bypassing the need for complex blind attack methods.
The consequences of a successful breach are devastating. By injecting malicious SQL commands, an attacker gains the same system rights as the database administrator. This level of access enables them to steal administrative passwords, harvest security certificates, and map out the entire inventory of a company's managed endpoints, including IP addresses and installed software. Because the database user operates with superuser privileges, hackers can also execute commands directly on the server's operating system, potentially leading to a complete network takeover.
However, the scope of this bug is narrow. It only affects FortiClient EMS version 7.4.4 when the multi-tenant 'Sites' feature is enabled. Older versions and the newer 8.0 release use different code architectures and remain unaffected. Fortinet successfully patched the issue exactly one release later in version 7.4.5 by forcing the software to properly sanitize the incoming HTTP header input.
Security experts urge organizations running the vulnerable 7.4.4 software to upgrade immediately. To detect potential intrusions, security teams should review Apache access logs for unusually long response times or unexpected HTTP 500 errors on the /api/v1/init_constsendpoint. For teams unable to patch right away, disabling the multi-tenant feature or strictly limiting web access to the EMS interface can temporarily block attackers from exploiting this critical blind spot.
This incident highlights the ongoing challenges in cybersecurity, where even well-known vendors can have critical vulnerabilities. It underscores the importance of prompt patching and the need for security teams to remain vigilant against emerging threats. As the cyber landscape continues to evolve, organizations must stay ahead of the curve to protect their sensitive data and infrastructure.
