CISA's Fortinet Deadline Is Today. We've Been Alerting On The Exact SQL Pattern For Weeks.

Federal civilian executive branch agencies have until end of day today, April 16, 2026, to mitigate CVE-2026-21643 — a pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that hands attackers OS-level remote code execution. CISA added it to the Known Exploited Vulnerabilities catalog on April 13. The deadline is three days later. That's the tightest federal timeline I've seen on a non-emergency directive in months, and it's the right call.

Active exploitation has been confirmed in the wild since March 30, 2026 — over two weeks of in-the-wild attacks before the federal mandate hit. By the time CISA published, the attackers were already inside.

We've been on record about this pattern for months. And our STIX feed consumers — 275+ enterprises across 46 countries — have been alerting on the actual exploit signatures since the proof-of-concept hit GitHub.

What CVE-2026-21643 Actually Does

The vulnerability is in FortiClient EMS's multitenancy code. Bishop Fox's deep dive explains the regression cleanly: in versions before 7.4.4, the database access layer used parameterized queries. In 7.4.4, someone replaced the parameterized handling with raw string interpolation in a single change to the database connection layer. That single change opened a pre-authentication SQL injection in the publicly-exposed /api/v1/init_consts endpoint.

The attack surface:

• Pre-auth. No credentials required. The endpoint is reachable by anyone who can hit the management interface.

• Header-based. The injection point is the Site: HTTP header. An attacker sends a crafted request, smuggles SQL through the header, and the server runs it.

• Verbose errors. The endpoint returns database error messages back to the attacker. SQL injection plus error-based oracle plus zero rate-limiting means rapid data extraction.

• PostgreSQL superuser. In the VM image Fortinet ships, the database connection runs as PostgreSQL superuser. That gives the attacker COPY ... TO/FROM PROGRAM, which is OS command execution as the postgres system user. Lab testing confirms arbitrary file creation on the underlying host.

• Full credential extraction. Admin password hashes, API tokens, JWT secrets, the complete endpoint inventory of every managed FortiClient install — all readable from the database before the attacker even tries to escalate.

CVSS 9.8. The "8" instead of a "10" is purely because the attacker has to send an HTTP request rather than just exist in the same network segment as the server. That's a 9.8 that should be treated as a 10.

Affected: FortiClient EMS 7.4.4 only. Fixed in 7.4.5. Versions 7.2 and 8.0 are not affected. Patch path: upgrade to 7.4.5+ immediately.

We Already Indexed The Exploit Signatures

When the proof-of-concept dropped, we ingested it. Right now in our IOC index you can find:

• *`Site: tenantSELECT`* — the exact SQL injection pattern, indexed and tagged as exploit from 0xBlackash-poc

• `/api/v1/init_consts` — the vulnerable endpoint, indexed as exploit from the same source

Anyone consuming the DugganUSA STIX feed has been alerting on these patterns since they hit our index. If you have a SIEM that subscribes to our feed (and you might — 275+ of you do, including Microsoft, AT&T, and Starlink pulling daily), the detection rule has been live for weeks. If you haven't seen alerts, it's because nobody's tried it against your perimeter yet — not because the rule isn't there.

The actionable detection patterns for anyone building Suricata, Snort, or WAF rules right now:

• Detect on: HTTP request to /api/v1/init_consts with a Site: header containing SQL keywords (SELECT, UNION, ;--, OR 1=1, etc.)

• Detect on: HTTP response body to /api/v1/init_consts containing PostgreSQL error strings (ERROR:, pg_, relation does not exist, etc.)

• Hunt for: any successful POST to /api/v1/init_consts from external IPs against your FortiClient EMS instances since March 30, 2026

• Block at WAF: any HTTP header with the regex tenant.*SELECT.*FROM or similar SQL gadget patterns

You don't need our feed to detect this. The IOCs are public. We just made them queryable in 200 milliseconds.

Fortinet's "CVSS 9 Per Quarter" Cadence

This is the second time in three weeks I'm writing about a critical Fortinet management console vulnerability. We covered the broader pattern on April 4 in Another Day, Another Management Console Owned, where I counted five separate CVSS 9+ vulnerabilities in Fortinet management products in the past 18 months. CVE-2026-21643 makes it six.

There is a pattern here, and it's not random:

• Management consoles are juicier targets than the firewalls they manage. Compromise the EMS, you compromise every endpoint it manages. One vulnerability cascades to thousands of installs.

• Fortinet ships fast. Fast shipping and security regressions are correlated. The 7.4.4 regression — a single change from parameterized queries to string interpolation in a release branch — is the kind of mistake that happens in compressed timelines.

• Public sector concentration. Fortinet sells heavily into federal, state, and local government. Every CISA KEV addition is essentially a federal procurement audit moment for the vendor. The cadence isn't tolerable forever.

We will keep writing this story. Every time it happens, we will index the IOCs, ship them to the feed, and publish the post. The receipts compound.

What To Do Right Now

If you operate FortiClient EMS:

1. Identify version. If you're on 7.4.4, you are vulnerable. If you're on 8.0 or 7.2, you are not affected by this specific CVE.

2. Upgrade to 7.4.5+ immediately. Fortinet PSIRT advisory: FG-IR-25-1142. NVD: CVE-2026-21643.

3. If you can't patch today, restrict network access to the EMS management interface. Take it off the internet. Put it behind a VPN. The exploit is pre-authentication — exposure is the entire vulnerability.

4. Hunt for prior compromise. If your EMS has been internet-exposed since late March, assume an attacker has already extracted admin hashes, API tokens, and your endpoint inventory. Rotate everything. Rebuild from a known-good image if you can't trust the host.

If you're a federal agency:

The CISA mandate is end of day today. The mitigation actions are documented in BOD 22-01. If you're reading this and you haven't acted, you are out of compliance as of midnight.

If you're a STIX feed consumer:

The detection rules are already in your alerting pipeline. Check your SIEM for any alerts on the /api/v1/init_consts path or the Site: header SQL pattern. If you've seen activity, treat it as a probable compromise of your FortiClient EMS.

If you're not yet a STIX feed consumer:

analytics.dugganusa.com/api/v1/stix-feed. Free tier. Microsoft, AT&T, and Starlink are pulling daily. The exploit signatures for this CVE have been in the feed for weeks. They will be in the feed for the next one too.

The Pattern That Won't Stop

Fortinet ships the next critical management console vulnerability on roughly a quarterly cadence. We will write the next post when it happens. The IOCs will be in our index before the CISA KEV addition. Our STIX consumers will be alerting before the federal deadline.

That is the work. That is the value. That is why an honest threat intel feed beats a marketing feed every time.

If you operate Fortinet at scale and the cadence above is something your security organization is now factoring into your vendor risk model — you should be. Every CVSS 9 from a single vendor in 18 months is an indictment, not an incident.

We told you in February. We told you again on April 4. We told you again on April 9. We told you again on April 15. Now we are telling you on April 16, the deadline day.

If you're still on 7.4.4 at midnight, that is a choice.

— Patrick

References:

• CISA KEV entry — CVE-2026-21643

• Fortinet PSIRT — FG-IR-25-1142

• Bishop Fox technical writeup

• Horizon3.ai analysis

• Help Net Security coverage

• Arctic Wolf advisory

• Greenbone analysis

DugganUSA STIX feed: https://analytics.dugganusa.com/api/v1/stix-feed