A serious security hole in Fortinet's FortiClient Enterprise Management Server (EMS) is causing a lot of worry in business settings, especially those that use multi-tenant deployments This article explores flaw forticlient ems. . The flaw, which is known as CVE-2026-21643, has a high CVSS score of 9.1 and lets attackers who aren't logged in run any SQL command they want, which could lead to the database being completely compromised.

The flaw is in FortiClient EMS version 7.4.4 and is especially dangerous because it can be used before logging in. This means that attackers don't need to have valid credentials to use the flaw. Instead, they can send specially crafted requests to change backend database queries by interacting directly with the exposed web interface. The problem started when a bad code update was made during a big middleware refactor in version 7.4.4.

The communication between web requests and the backend PostgreSQL database is handled by this middleware. The application incorrectly handles the HTTP "Site" header, which is used to identify tenant environments in multi-tenant setups, according to security researchers at Bishop Fox. The program immediately inserts the raw header value into a SQL query that specifies the database search path rather than verifying or cleaning user input.

A classic SQL injection condition is produced by this risky behavior. Attackers can take advantage of the vulnerability by making a single malicious request to the exposed endpoint ("api/v1/init_consts") since the database connection is made prior to authentication checks. Due to its lack of rate limiting and verbose database error messages, this endpoint increases the risk even more.

These error messages can be used by attackers to do error-based SQL injection, which lets them quickly get sensitive data without having to use slower blind methods. When attackers successfully exploit a system, they get database administrator-level access. You can use this access to get administrative credentials, get security certificates, and list all managed endpoints, such as IP addresses and installed programs.

In worse cases, the database's higher privileges could let attackers run system-level commands, which could lead to a full server breach and movement across the network. Even though it is serious, the vulnerability is not very wide. When the multi-tenant "Sites" feature is turned on, it only affects version 7.4.4. Because of differences in architecture, other versions, such as older releases and the newer 8.0 branch, are not affected.

Fortinet fixed the problem in version 7.4.5 by making sure that the HTTP header was properly sanitized. Companies that are still using the vulnerable version should upgrade right away. To find out if something is wrong, security teams should look at Apache access logs for strange patterns, like repeated requests to "/api/v1/init_consts," long response times, or sudden increases in HTTP 500 errors.

Disabling the multi-tenant feature or limiting access to the EMS interface from outside can help reduce exposure until patching is finished. In Google, make ZeroOwl your preferred source.