{"uuid": "1ff0f56d-a2ec-4671-9389-132e9161a1a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "seen", "source": "https://t.me/brutsecurity/2605", "content": "\ud83d\udea8 Bug Bounty / Red Team Tip\n\nCVE-2026-21643 \u2014 Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)\n\nUnauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint /api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups \u2192 full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).\n\n- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)\n- Not affected: 7.2.x, 8.0.x, single-site deployments\n- Fixed: Upgrade to 7.4.5 or later\n- Status: Actively exploited in the wild + public PoCs available\n\nMain Detail Article (Highly Recommended):  \nBishop Fox deep-dive with exploitation paths, payloads (e.g., pg_sleep(5) for blind testing), and lab results \u2192  \nhttps://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4\n\nPublic PoC (GitHub):  \nhttps://github.com/0xBlackash/CVE-2026-21643\n\nUseful Google/Shodan Dorks:\n- http.title:\"FortiClient EMS\" \"7.4.4\"\n- http.html:\"FortiClient Enterprise Management Server\"\n- http.favicon.hash: -specific-hash (or search for EMS login page)\n- Shodan: \"Model: FCTEMS\" or \"FortiClient EMS\"\n\nQuick Check:\nIf your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled \u2192 patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).\n\nHigh-value target for hunters. Patch or restrict immediately!\n\n#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi", "creation_timestamp": "2026-07-10T00:00:12.994174Z"}