{"id":16020,"date":"2026-03-30T23:25:54","date_gmt":"2026-03-30T23:25:54","guid":{"rendered":"https:\/\/newestek.com\/?p=16020"},"modified":"2026-03-30T23:25:54","modified_gmt":"2026-03-30T23:25:54","slug":"fortinet-hit-by-another-exploited-cybersecurity-flaw","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16020","title":{"rendered":"Fortinet hit by another exploited cybersecurity flaw"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Yet another critical flaw in a Fortinet product has come to light as attackers continue to target the company, this time by actively exploiting a critical SQL injection vulnerability in the cybersecurity company\u2019s management server.<\/p>\n

The vulnerability, (CVE-2026-21643<\/a>), allows unauthenticated threat actors to execute arbitrary code on unpatched systems via specifically-crafted HTTP requests. These low-complexity attacks target the FortiClient Endpoint Management Server (EMS), a widely-used cybersecurity tool.\u00a0<\/p>\n

The CVE was being abused as recently as four days ago, according to research from red-teaming company Defused Cyber, and reflects a concerning trend for the cybersecurity giant, which \u00a0serves more than 900,000 customers<\/a>.<\/p>\n

\u201cThis is Fortinet\u2019s seventh SQL CVE over the past 12 months, and that\u2019s frankly seven too many,\u201d said David Shipley<\/a> of Beauceron Security.<\/p>\n

Gives broad access to sensitive data<\/h2>\n

FortiClient EMS provides centralized management, deployment, and monitoring for FortiClient endpoint agents across numerous platforms. CVE-2026-21643 was discovered internally by Fortinet\u2019s security team and published on February 6. It impacts FortiClient EMS version 7.4.4 when multi-tenant mode is enabled. Single-site deployments are not impacted. Enterprises should patch immediately, security experts warn, by upgrading to version 7.4.5 or later.<\/p>\n

As of publication time, Fortinet had not yet updated its security advisory to flag the active exploitation<\/a> of the CVE.<\/p>\n

The flaw is described as \u201can improper neutralization of special elements\u201d used in a SQL command vulnerability. This means that a single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database, according to a deep dive report<\/a> by pentesting company Bishop Fox. An attacker who can reach the EMS web interface over HTTPS \u201cneeds no credentials to exploit this,\u201d it said.<\/p>\n

\u201cThis gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints,\u201d the researchers wrote. They pointed out that the endpoint returns database error messages and has no lockout protections, allowing attackers to quickly extract sensitive data.<\/p>\n

The Shadowserver Foundation, a nonprofit security watchdog, is currently tracking more than 2,400<\/a> FortiClient EMS instances with web interfaces exposed to the internet, the majority of them in the US and Europe. And Shodan, a search engine for internet-connected devices, reported 1,000 publicly-exposed<\/a> instances of FortiClient EMS.<\/p>\n

SQL injection a top app security issue<\/h2>\n

Beauceron\u2019s Shipley underscored the dangers of SQL injection, pointing out that the vulnerability was the first on the OWASP top 10 application security risks when the open source foundation was launched more than 20 years ago. The attack type has remained in the top spot for most of that time, \u201cfor good reason.\u201d<\/p>\n

\u201cYou don\u2019t want these kinds of bugs to lead to remote code execution, [but] in multi-site setups of this service, that\u2019s what you can get,\u201d said Shipley.<\/p>\n

Victor Okorie<\/a>, advisory director in the security and privacy practice at Info-Tech Research Group, agreed with Shipley\u2019s assessment that SQL injection vulnerabilities are particularly dangerous.<\/p>\n

Most existing controls do not catch flaws like this, he pointed out, allowing for credential theft, enabling lateral movement due to the \u201cimplicit trust\u201d of the EMS, and permitting manipulation and exfiltration of sensitive data. Attackers can execute unauthorized commands and bypass authentication completely, \u201cwhich makes getting in a breeze.\u201d<\/p>\n

\u201cThe bad actor\u2019s playbook consists of \u2018get in,\u2019 \u2018take control,\u2019 and \u2018profit,\u2019 and this is something we should always remember when reviewing vulnerabilities being exploited in the wild,\u201d said Okorie.<\/p>\n

Highlights importance of zero trust<\/h2>\n

Fortinet has been a prime target for threat actors of late, with attackers using AI to exploit weakly-protected firewalls<\/a>, launching zero-day attacks<\/a> against customer devices, and stealing FortiGate firewall credentials<\/a>. The company has also been criticized for \u201csilent\u201d patching<\/a> after disclosing zero-day vulnerabilities in some of its equipment.<\/p>\n

All told, the US Cybersecurity and Infrastructure Security Agency (CISA) lists 24 Fortinet vulnerabilities<\/a> actively being exploited.<\/p>\n

This highlights the importance of a zero-trust architecture, said Okorie. Organizations should check whether their EMS is internet-facing, he advised; if it is, they should remove it from direct exposure to the internet and place it behind a secure access gateway. Enterprises should also inspect HTTP traffic logs for anomalous SQL syntax embedded within the \u2018Site\u2019 header.<\/p>\n

\u201cOld dogs don\u2019t really need new tricks, and that can be applicable here,\u201d said Okorie. Because Fortinet vulnerabilities have been used in ransomware campaigns, \u201cthere is a sense of familiarity\u201d for attackers, who continue to identify and exploit weaknesses.<\/p>\n

Fortinet must be \u2018more proactive\u2019<\/h2>\n

\u201cFortinet seems to have an issue resolving entire bug classes,\u201d added Beauceron\u2019s Shipley. They seem to keep playing \u201cbug whack-a-mole,\u201d fixing the immediate problem but not taking the time to review codebases in depth to uncover the same flawed code in other areas.<\/p>\n

\u201cAttackers, on the other hand, smell blood,\u201d he noted. Once they find this kind of bug repeated, they will refine their hacking attempts to discover more instances of it.<\/p>\n

With AI tools speeding up attackers\u2019 work, Fortinet must be more proactive on bug hunts, said Shipley. But that being said, he observed, the company\u2019s revenue continued to grow in 2025 by more than 14%<\/a>, \u201cso the market isn\u2019t exactly sending a strong signal that they should care [about this] more.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Yet another critical flaw in a Fortinet product has come to light as attackers continue to target the company, this time by actively exploiting a critical SQL injection vulnerability in the cybersecurity company\u2019s management server. The vulnerability, (CVE-2026-21643), allows unauthenticated threat actors to execute arbitrary code on unpatched systems via specifically-crafted HTTP requests. These low-complexity attacks target the FortiClient Endpoint Management Server (EMS), a widely-used… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16020","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16020"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16020\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}