Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for FortiClient Enterprise Management Server (EMS) warning that CVE-2026-21643 enables unauthenticated remote code execution via an SQL injection flaw (CWE-89) in the product’s GUI/web interface. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise.
The issue is reported as affecting the 7.4 line, with FortiClientEMS 7.4.4 explicitly called out as vulnerable; Fortinet’s recommended remediation is to upgrade to 7.4.5 or later. Fortinet also stated that the 8.0 and 7.2 branches are not affected, and an updated note indicated FortiEMS Cloud/SaaS instances are not impacted, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Sources
1 more from sources like security online info
Related Stories
FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)
Fortinet disclosed and patched a **critical FortiSIEM OS command injection** vulnerability, **CVE-2025-64155** (CVSS **9.4**), that enables **unauthenticated remote code execution** via crafted TCP/CLI requests to the *phMonitor* service (default **port 7900**). Impact is reported on FortiSIEM **Super and Worker nodes** (Collector nodes reportedly not affected), with recommended upgrades to **7.4.1**, **7.3.5**, or **7.2.7**; a key mitigation is to **restrict network access to port 7900**. Technical analysis described an exploit chain in which attacker-controlled inputs in *phMonitor* requests can be leveraged for **argument injection** leading to **arbitrary file write and code execution** (initially as an admin-level context), followed by a **file overwrite privilege escalation to root**. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked **Black Basta** chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.
2 months ago
Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
2 months ago
Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a **critical heap-based buffer overflow** (CWE-122) in the `cw_acd` daemon affecting **FortiOS** and **FortiSwitchManager**, which can allow **remote, unauthenticated attackers to execute arbitrary code or commands** via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with **FortiSASE** and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time. Separately, Fortinet also disclosed a **low-severity SSRF** in **FortiSandbox** tracked as **CVE-2025-67685** (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing **fabric** access from interfaces and restricting **CAPWAP-CONTROL** (UDP 5246–5249) to trusted sources via local-in policies.
2 months ago