{"id":55696,"date":"2024-03-27T14:27:51","date_gmt":"2024-03-27T14:27:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35705\/Fortinet-FortiClient-EMS-SQL-Injection-Flaw-Exploited-In-The-Wild.html"},"modified":"2024-03-27T14:27:51","modified_gmt":"2024-03-27T14:27:51","slug":"fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/","title":{"rendered":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/03\/AdobeStock_357046291.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Critical vulnerabilities in Fortinet FortiClient EMS, the Ivanti EPM Cloud Services Appliance, and the Nice Linear eMerge E-Series OS <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/03\/25\/cisa-adds-three-known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener\">were added to the U.S. Cybersecurity and Infrastructure Agency\u2019s (CISA) Known Exploited Vulnerabilities (KEV) Catalog<\/a> Monday.<\/p>\n<p>A high-severity vulnerability in Microsoft SharePoint Server was also added to the KEV database Tuesday.<\/p>\n<p>The Fortinet vulnerability, which was <a href=\"https:\/\/www.fortiguard.com\/psirt\/FG-IR-24-007\" target=\"_blank\" rel=\"noreferrer noopener\">first disclosed<\/a> on March 12, is a SQL injection flaw that could enable remote code execution (RCE) by an unauthenticated attacker. A proof-of-concept (PoC) exploit for the vulnerability, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-48788\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-48788<\/a>, was <a href=\"https:\/\/www.horizon3.ai\/attack-research\/attack-blogs\/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive\/\" target=\"_blank\" rel=\"noreferrer noopener\">published on March 21<\/a> by Horizon3.ai.<\/p>\n<p>Fortinet also updated its advisory on March 21, indicating that the vulnerability was being exploited in the wild.<\/p>\n<p>\u201cFortinet diligently balances our commitment to the security of our customers and our culture of transparency. We proactively communicated to customers via Fortinet\u2019s PSIRT Advisory process, advising them to follow the guidance provided,\u201d a Fortinet spokesperson told SC Media in an email.<\/p>\n<p>CVE-2023-48788 has a CVSS score of 9.8 and affects FortiClient EMS versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10.<\/p>\n<h2>SQL injection bug enables RCE through command shell<\/h2>\n<p>Horizon3.ai researchers outlined in a blog post how key components of FortiClient EMS \u2014 an enterprise endpoint management solution \u2014 communicate with one another and how an attacker can exploit this chain of connections to achieve RCE.<\/p>\n<p>FmcDaemon.exe, the main component that communicates with enrolled client endpoints, listens for requests on port 8013 and forwards requests for database operations to the FCTDas.exe data access server. FCTDas.exe translates these messages into SQL queries and interacts with the Microsoft SQL Server database.<\/p>\n<p>The researchers found that messages passed between FcmDaemon and FCTDas contained an FCTUID as part of the database query. By crafting a request that alters this FCTUID to include their own input, and transmitting this request through port 8013, the researchers were able to achieve SQL injection due to lack of sanitization for this element.<\/p>\n<p>They further demonstrated how RCE could be achieved by crafting the injected input to execute code through the built-in command shell functionality (xp_cmdshell) of the Microsoft SQL Server. Even when the database was not initially configured to run xp_cmdshell commands, additional SQL injections could be used to enable this function.<\/p>\n<p>The PoC exploit published by the researchers does not include the RCE function but allows users to confirm whether their instance is vulnerable to SQL injection.<\/p>\n<p>Horizon3.ai Exploit Developer James Horseman told SC Media the company hasn\u2019t tracked external activity related to CVE-2023-48788 and referred back to recommendations made in his blog post.<\/p>\n<p>The blog noted users can look for connections from unrecognized clients and other potential indicators of compromise in the log files located at C:\\Program Files (x86) \\Fortinet\\FortiClientEMS\\logs. Microsoft SQL Server logs can also be examined for evidence of command execution through xp_cmdshell.<\/p>\n<p>Security organization Shadowserver <a href=\"https:\/\/x.com\/Shadowserver\/status\/1771963616092193085?s=20\" target=\"_blank\" rel=\"noreferrer noopener\">reported<\/a> 130 FortiClient EMS instances vulnerable to CVE-2023-48788 were detected by its scanners on March 23, with 30 vulnerable instances in the United States.<\/p>\n<p>\u201cNote we only do a version check on the web interface, exploitation requires access to FmcDaemon on tcp\/8013,\u201d the organization <a href=\"https:\/\/x.com\/Shadowserver\/status\/1771963618583589201?s=20\" target=\"_blank\" rel=\"noreferrer noopener\">wrote on X.<\/a><\/p>\n<p>GreyNoise is also tracking the vulnerability and <a href=\"https:\/\/viz.greynoise.io\/tags\/fortinet-forticlientems-cve-2023-48788-sql-injection-attempt\" target=\"_blank\" rel=\"noreferrer noopener\">has so far detected<\/a> four malicious IPs attempting to exploit the flaw, all of which are tagged as opportunistic TLS\/SSL crawlers.<\/p>\n<p>CISA <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-design-alert-eliminating-sql-injection-vulnerabilities-software\" target=\"_blank\" rel=\"noreferrer noopener\">released a joint Secure by Design alert<\/a> with the FBI on Monday advising software developers on preventing SQL injection vulnerabilities. The alert specifically references the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-158a\" target=\"_blank\" rel=\"noreferrer noopener\">MOVEit file transfer service attack<\/a> as an example of SQL injection exploitation.<\/p>\n<p>Fortinet earlier this year patched another critical flaw in <a href=\"https:\/\/www.scmagazine.com\/news\/new-fortinet-rce-vulnerability-potentially-under-exploitation\" target=\"_blank\" rel=\"noreferrer noopener\">FortiOS and FortiProxy<\/a>, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21762\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2024-21762<\/a>, which has since been added to the KEV catalog.<\/p>\n<p>Another CISA <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-038a\" target=\"_blank\" rel=\"noreferrer noopener\">joint advisory<\/a> last month warned that China-backed threat group <a href=\"https:\/\/www.scmagazine.com\/news\/volt-typhoon-fails-to-revive-botnet-after-fbi-takedown\" target=\"_blank\" rel=\"noreferrer noopener\">Volt Typhoon<\/a> has likely utilized Fortinet <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-42475\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-42475<\/a>, along with Ivanti, NETGEAR, Citrix and Cisco vulnerabilities, in campaigns against critical infrastructure.<\/p>\n<h2>Ivanti, Microsoft, Nice vulnerabilities added to KEV<\/h2>\n<p>Other severe vulnerabilities added to the KEV catalog this week include a code injection vulnerability in the Ivanti Endpoint Manager (EPM) Cloud Services Appliance (CSA) that was patched in 2021, a command injection vulnerability in Nice Linear eMerge E3 Series devices that was discovered in 2019 and patched just this year, and a Microsoft SharePoint Server code RCE vulnerability patched in May 2023.<\/p>\n<p><a href=\"https:\/\/viz.greynoise.io\/tags\/ivanti-endpoint-manager-rce-attempt?days=30\" target=\"_blank\" rel=\"noreferrer noopener\">According to GreyNoise data<\/a>, 11 IPs have targeted the critical Ivanti EPM CSA bug tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44529\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-44529<\/a> in the last 30 days. GreyNoise researcher Ron Bowes <a href=\"https:\/\/www.labs.greynoise.io\/grimoire\/2024-02-what-is-this-old-ivanti-exploit\/\" target=\"_blank\" rel=\"noreferrer noopener\">previously wrote<\/a> that the bug may be a backdoor originating from an open-source component called csrf-magic.<\/p>\n<p>The Nice (formerly Nortek) bug, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-7256\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2019-7256<\/a>, has a maximum CVSS score of 10 and affects the operating system used in Linear eMerge E3 Series building access control devices. The first confirmation of a patch being available came with a <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-24-065-01\" target=\"_blank\" rel=\"noreferrer noopener\">CISA advisory published this month<\/a> despite <a href=\"https:\/\/blog.sonicwall.com\/en-us\/2020\/02\/linear-emerge-e3-access-controller-actively-being-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">evidence of the flaw being exploited in denial-of-service (DoS) attacks<\/a> as early as February 2020, <a href=\"https:\/\/www.securityweek.com\/exploited-building-access-system-vulnerability-patched-years-after-disclosure\/\" target=\"_blank\" rel=\"noreferrer noopener\">according to SecurityWeek<\/a>.<\/p>\n<p>The high-severity Microsoft bug tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-24955\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-24955<\/a> requires an attacker to be authenticated as a site owner to achieve RCE. Security researcher Valentin Lobstein <a href=\"https:\/\/www.scmagazine.com\/news\/cisa-flags-active-exploitation-of-critical-microsoft-sharepoint-bug\" target=\"_blank\" rel=\"noreferrer noopener\">previously noted<\/a> that the flaw could be chained with the actively exploited privilege escalation flaw <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-29357\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-29357<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35705\/Fortinet-FortiClient-EMS-SQL-Injection-Flaw-Exploited-In-The-Wild.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55697,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[256],"class_list":["post-55696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehackerflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-27T14:27:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/03\/AdobeStock_357046291.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild\",\"datePublished\":\"2024-03-27T14:27:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/\"},\"wordCount\":866,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg\",\"keywords\":[\"headline,hacker,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/\",\"name\":\"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg\",\"datePublished\":\"2024-03-27T14:27:51+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg\",\"width\":800,\"height\":536},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/","og_locale":"en_US","og_type":"article","og_title":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-03-27T14:27:51+00:00","og_image":[{"url":"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2024\/03\/AdobeStock_357046291.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild","datePublished":"2024-03-27T14:27:51+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/"},"wordCount":866,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg","keywords":["headline,hacker,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/","url":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/","name":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg","datePublished":"2024-03-27T14:27:51+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild.jpg","width":800,"height":536},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerflaw\/"},{"@type":"ListItem","position":3,"name":"Fortinet FortiClient EMS SQL Injection Flaw Exploited In The Wild"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55696"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55696\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55697"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}