<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-11T12:20:53.416149+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/4bf867a3-3d62-480c-bb17-211eb61a65ec/export</id>
    <title>4bf867a3-3d62-480c-bb17-211eb61a65ec</title>
    <updated>2026-07-11T12:20:53.434786+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "4bf867a3-3d62-480c-bb17-211eb61a65ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "https://t.me/brutsecurity/2605", "content": "\ud83d\udea8 Bug Bounty / Red Team Tip\n\nCVE-2026-21643 \u2014 Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)\n\nUnauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint /api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups \u2192 full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).\n\n- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)\n- Not affected: 7.2.x, 8.0.x, single-site deployments\n- Fixed: Upgrade to 7.4.5 or later\n- Status: Actively exploited in the wild + public PoCs available\n\nMain Detail Article (Highly Recommended):  \nBishop Fox deep-dive with exploitation paths, payloads (e.g., pg_sleep(5) for blind testing), and lab results \u2192  \nhttps://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4\n\nPublic PoC (GitHub):  \nhttps://github.com/0xBlackash/CVE-2026-21643\n\nUseful Google/Shodan Dorks:\n- http.title:\"FortiClient EMS\" \"7.4.4\"\n- http.html:\"FortiClient Enterprise Management Server\"\n- http.favicon.hash: -specific-hash (or search for EMS login page)\n- Shodan: \"Model: FCTEMS\" or \"FortiClient EMS\"\n\nQuick Check:\nIf your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled \u2192 patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).\n\nHigh-value target for hunters. Patch or restrict immediately!\n\n#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi", "creation_timestamp": "2026-07-11T10:00:05.407445Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/4bf867a3-3d62-480c-bb17-211eb61a65ec/export"/>
    <published>2026-07-11T10:00:05.407445+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/1ff0f56d-a2ec-4671-9389-132e9161a1a0/export</id>
    <title>1ff0f56d-a2ec-4671-9389-132e9161a1a0</title>
    <updated>2026-07-11T12:20:53.436729+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "1ff0f56d-a2ec-4671-9389-132e9161a1a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "seen", "source": "https://t.me/brutsecurity/2605", "content": "\ud83d\udea8 Bug Bounty / Red Team Tip\n\nCVE-2026-21643 \u2014 Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)\n\nUnauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint /api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups \u2192 full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).\n\n- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)\n- Not affected: 7.2.x, 8.0.x, single-site deployments\n- Fixed: Upgrade to 7.4.5 or later\n- Status: Actively exploited in the wild + public PoCs available\n\nMain Detail Article (Highly Recommended):  \nBishop Fox deep-dive with exploitation paths, payloads (e.g., pg_sleep(5) for blind testing), and lab results \u2192  \nhttps://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4\n\nPublic PoC (GitHub):  \nhttps://github.com/0xBlackash/CVE-2026-21643\n\nUseful Google/Shodan Dorks:\n- http.title:\"FortiClient EMS\" \"7.4.4\"\n- http.html:\"FortiClient Enterprise Management Server\"\n- http.favicon.hash: -specific-hash (or search for EMS login page)\n- Shodan: \"Model: FCTEMS\" or \"FortiClient EMS\"\n\nQuick Check:\nIf your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled \u2192 patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).\n\nHigh-value target for hunters. Patch or restrict immediately!\n\n#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi", "creation_timestamp": "2026-07-10T00:00:12.994174Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/1ff0f56d-a2ec-4671-9389-132e9161a1a0/export"/>
    <published>2026-07-10T00:00:12.994174+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/f905a9c8-acc7-4b85-ad51-7ca4138e8b9c/export</id>
    <title>f905a9c8-acc7-4b85-ad51-7ca4138e8b9c</title>
    <updated>2026-07-11T12:20:53.436936+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "f905a9c8-acc7-4b85-ad51-7ca4138e8b9c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "seen", "source": "https://t.me/brutsecurity/2605", "content": "\ud83d\udea8 Bug Bounty / Red Team Tip\n\nCVE-2026-21643 \u2014 Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only)\n\nUnauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint /api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups \u2192 full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM).\n\n- Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled)\n- Not affected: 7.2.x, 8.0.x, single-site deployments\n- Fixed: Upgrade to 7.4.5 or later\n- Status: Actively exploited in the wild + public PoCs available\n\nMain Detail Article (Highly Recommended):  \nBishop Fox deep-dive with exploitation paths, payloads (e.g., pg_sleep(5) for blind testing), and lab results \u2192  \nhttps://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4\n\nPublic PoC (GitHub):  \nhttps://github.com/0xBlackash/CVE-2026-21643\n\nUseful Google/Shodan Dorks:\n- http.title:\"FortiClient EMS\" \"7.4.4\"\n- http.html:\"FortiClient Enterprise Management Server\"\n- http.favicon.hash: -specific-hash (or search for EMS login page)\n- Shodan: \"Model: FCTEMS\" or \"FortiClient EMS\"\n\nQuick Check:\nIf your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled \u2192 patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+).\n\nHigh-value target for hunters. Patch or restrict immediately!\n\n#BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi", "creation_timestamp": "2026-07-09T03:00:05.673848Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/f905a9c8-acc7-4b85-ad51-7ca4138e8b9c/export"/>
    <published>2026-07-09T03:00:05.673848+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/239f19a9-7393-472b-8efa-40c1dbe5b8ff/export</id>
    <title>239f19a9-7393-472b-8efa-40c1dbe5b8ff</title>
    <updated>2026-07-11T12:20:53.437102+00:00</updated>
    <author>
      <name>Cédric Bonhomme</name>
      <uri>https://cvepremium.circl.lu/user/cedric</uri>
    </author>
    <content>{"uuid": "239f19a9-7393-472b-8efa-40c1dbe5b8ff", "vulnerability_lookup_origin": "c8fb6bf1-f81f-4cb8-95b1-eadbb3b54ee8", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/60ec08e2-667c-4cb0-b78c-ac4058db2559", "content": "", "creation_timestamp": "2026-06-30T09:23:17.434808Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/239f19a9-7393-472b-8efa-40c1dbe5b8ff/export"/>
    <published>2026-06-30T09:23:17.434808+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/2b36d803-254c-4040-918e-3e1ff549a959/export</id>
    <title>2b36d803-254c-4040-918e-3e1ff549a959</title>
    <updated>2026-07-11T12:20:53.438794+00:00</updated>
    <author>
      <name>Joseph Lee</name>
      <uri>https://cvepremium.circl.lu/user/syspect</uri>
    </author>
    <content>{"uuid": "2b36d803-254c-4040-918e-3e1ff549a959", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-21643", "type": "seen", "source": "https://www.acn.gov.it/portale/w/fortibleed-esposizione-di-credenziali-ssl-vpn-associate-a-dispositivi-fortinet-esposti-su-internet", "content": "", "creation_timestamp": "2026-06-25T16:45:22.919022Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/2b36d803-254c-4040-918e-3e1ff549a959/export"/>
    <published>2026-06-25T16:45:22.919022+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/422eefed-e688-470a-bd20-625487a597ba/export</id>
    <title>422eefed-e688-470a-bd20-625487a597ba</title>
    <updated>2026-07-11T12:20:53.439866+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "422eefed-e688-470a-bd20-625487a597ba", "vulnerability_lookup_origin": "caeb2787-0d58-4236-9039-7c86c3e566f3", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/82511421-8748-4c5b-8ef3-1deffaba12cd", "content": "", "creation_timestamp": "2026-06-23T14:03:40.070102Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/422eefed-e688-470a-bd20-625487a597ba/export"/>
    <published>2026-06-23T14:03:40.070102+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/ff371fd0-0294-4de1-a236-daa2443f0acd/export</id>
    <title>ff371fd0-0294-4de1-a236-daa2443f0acd</title>
    <updated>2026-07-11T12:20:53.439985+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "ff371fd0-0294-4de1-a236-daa2443f0acd", "vulnerability_lookup_origin": "caeb2787-0d58-4236-9039-7c86c3e566f3", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/e623b53b-184e-428b-8ca1-72c843727c86", "content": "", "creation_timestamp": "2026-06-19T12:45:32.380211Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/ff371fd0-0294-4de1-a236-daa2443f0acd/export"/>
    <published>2026-06-19T12:45:32.380211+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/e3c37786-5f33-408e-b17e-d0ff6b936649/export</id>
    <title>e3c37786-5f33-408e-b17e-d0ff6b936649</title>
    <updated>2026-07-11T12:20:53.440088+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "e3c37786-5f33-408e-b17e-d0ff6b936649", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "The Shadowserver (honeypot/exploited-vulnerabilities) - (2026-06-14)", "content": "", "creation_timestamp": "2026-06-14T00:00:00.000000Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/e3c37786-5f33-408e-b17e-d0ff6b936649/export"/>
    <published>2026-06-14T00:00:00+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/84e42386-4ad8-4614-bc6d-7aa43fc20e1e/export</id>
    <title>84e42386-4ad8-4614-bc6d-7aa43fc20e1e</title>
    <updated>2026-07-11T12:20:53.440181+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "84e42386-4ad8-4614-bc6d-7aa43fc20e1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "The Shadowserver (honeypot/exploited-vulnerabilities) - (2026-06-05)", "content": "", "creation_timestamp": "2026-06-05T00:00:00.000000Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/84e42386-4ad8-4614-bc6d-7aa43fc20e1e/export"/>
    <published>2026-06-05T00:00:00+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/544bc1db-4a10-47c3-871b-e9b05445354a/export</id>
    <title>544bc1db-4a10-47c3-871b-e9b05445354a</title>
    <updated>2026-07-11T12:20:53.440279+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "544bc1db-4a10-47c3-871b-e9b05445354a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21643", "type": "exploited", "source": "The Shadowserver (honeypot/exploited-vulnerabilities) - (2026-06-03)", "content": "", "creation_timestamp": "2026-06-03T00:00:00.000000Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/544bc1db-4a10-47c3-871b-e9b05445354a/export"/>
    <published>2026-06-03T00:00:00+00:00</published>
  </entry>
</feed>
