Alerts

Fortinet Patches Two Critical Flaws — FortiClientEMS SQLi and Actively Exploited FortiCloud SSO Bypass

Zero Day Wire

1 min read
Share
Fortinet Patches Two Critical Flaws — FortiClientEMS SQLi and Actively Exploited FortiCloud SSO Bypass

Fortinet has released security updates addressing two critical vulnerabilities, including an unauthenticated SQL injection in FortiClientEMS and a FortiCloud SSO authentication bypass that is already being exploited in the wild.

CVE-2026-21643 — FortiClientEMS SQL Injection (CVSS 9.1)

The first flaw, tracked as CVE-2026-21643, is a SQL injection vulnerability in FortiClientEMS that allows unauthenticated attackers to execute unauthorized code or commands through specially crafted HTTP requests.

The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89) and requires no authentication or user interaction to exploit.

Affected versions:

  • FortiClientEMS 7.4.4 — upgrade to 7.4.5 or above
  • FortiClientEMS 7.2 and 8.0 are not affected

The flaw was discovered internally by Gwendal Guégniaud of Fortinet's Product Security team. Fortinet has not reported active exploitation of this vulnerability, but given the unauthenticated attack vector and critical severity, organizations should patch immediately.

CVE-2026-24858 — FortiCloud SSO Bypass (CVSS 9.4) — Actively Exploited

The second vulnerability is more urgent. CVE-2026-24858 affects FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb, and allows an attacker with a FortiCloud account and a registered device to authenticate into other devices registered to different accounts when FortiCloud SSO is enabled.

Fortinet has confirmed this flaw is actively exploited. Attackers are using it to:

  • Create local administrator accounts for persistence
  • Modify configurations to grant VPN access to rogue accounts
  • Exfiltrate firewall configurations

This exploitation chain gives attackers persistent access to network infrastructure even if the initial SSO bypass is later patched, making post-exploitation detection and remediation critical.

Recommendation

Organizations running FortiClientEMS 7.4.4 should upgrade to 7.4.5 immediately. For CVE-2026-24858, defenders should apply available patches across all affected Fortinet products, audit for unauthorized local admin accounts, review recent configuration changes — particularly VPN access rules — and verify no firewall configurations have been exfiltrated. Organizations using FortiCloud SSO should evaluate whether it can be temporarily disabled until patches are confirmed in place.

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire