Alerts

Fortinet Patches Two Critical Flaws — FortiClientEMS SQLi and Actively Exploited FortiCloud SSO Bypass

Zero Day Wire

1 min read
Fortinet Patches Two Critical Flaws — FortiClientEMS SQLi and Actively Exploited FortiCloud SSO Bypass

Fortinet has released security updates addressing two critical vulnerabilities, including an unauthenticated SQL injection in FortiClientEMS and a FortiCloud SSO authentication bypass that is already being exploited in the wild.

CVE-2026-21643 — FortiClientEMS SQL Injection (CVSS 9.1)

The first flaw, tracked as CVE-2026-21643, is a SQL injection vulnerability in FortiClientEMS that allows unauthenticated attackers to execute unauthorized code or commands through specially crafted HTTP requests.

The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89) and requires no authentication or user interaction to exploit.

Affected versions:

  • FortiClientEMS 7.4.4 — upgrade to 7.4.5 or above
  • FortiClientEMS 7.2 and 8.0 are not affected

The flaw was discovered internally by Gwendal Guégniaud of Fortinet's Product Security team. Fortinet has not reported active exploitation of this vulnerability, but given the unauthenticated attack vector and critical severity, organizations should patch immediately.

CVE-2026-24858 — FortiCloud SSO Bypass (CVSS 9.4) — Actively Exploited

The second vulnerability is more urgent. CVE-2026-24858 affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb, and allows an attacker with a FortiCloud account and a registered device to authenticate into other devices registered to different accounts when FortiCloud SSO is enabled.

Fortinet has confirmed this flaw is actively exploited. Attackers are using it to:

  • Create local administrator accounts for persistence
  • Modify configurations to grant VPN access to rogue accounts
  • Exfiltrate firewall configurations

This exploitation chain gives attackers persistent access to network infrastructure even if the initial SSO bypass is later patched, making post-exploitation detection and remediation critical.

Recommendation

Organizations running FortiClientEMS 7.4.4 should upgrade to 7.4.5 immediately. For CVE-2026-24858, defenders should apply available patches across all affected Fortinet products, audit for unauthorized local admin accounts, review recent configuration changes — particularly VPN access rules — and verify no firewall configurations have been exfiltrated. Organizations using FortiCloud SSO should evaluate whether it can be temporarily disabled until patches are confirmed in place.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire