嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内。首先,我需要通读整篇文章,抓住关键点。 文章主要讲的是Fortinet的FortiClient EMS软件存在一个严重的漏洞,CVE编号是2026-21643,CVSS评分9.1分。这个漏洞允许攻击者通过SQL注入进行远程代码执行。攻击者已经利用这个漏洞进行攻击了,尽管CISA和其他已知漏洞列表还没标记它为被利用。 接下来,文章提到Fortinet在二月份发布了紧急公告,修复了这个漏洞,并指出受影响的版本是7.4.4,建议升级到7.4.5或更高版本。此外,研究人员发现大约有1000个公开暴露的实例,主要在美国和欧洲。 用户要求用中文总结,并且不要以“文章内容总结”这样的开头。所以我要确保语言简洁明了,控制在一百字以内。 可能的结构是:漏洞名称、CVE编号、CVSS评分、攻击方式、影响范围、修复建议以及当前状态。这样可以涵盖所有关键信息。 最后检查一下字数是否符合要求,并确保没有遗漏重要信息。 </think> Fortinet FortiClient EMS存在严重SQL注入漏洞(CVE-2026-21643),CVSS评分9.1分。攻击者可利用该漏洞通过HTTP请求中的"Site"头注入SQL代码实现远程代码执行。已有实际攻击案例,尽管尚未被列入CISA等已知被利用漏洞列表。 Fortinet已发布补丁修复该问题。 2026-3-30 10:43:26 Author: securityaffairs.com(查看原文) 阅读量:6 收藏
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution
Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.
— Defused (@DefusedCyber) March 28, 2026🚨 Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data
Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj
In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Despite not yet appearing in major exploited lists, real-world attacks have already been observed.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
如有侵权请联系:admin#unsafe.sh