This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical **SQL Injection (SQLi)** flaw in FortiClientEMS. π **Consequences**: Attackers can execute unauthorized code, steal data, or take full control of the system via crafted HTTP requests.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command. π **Flaw**: The 'Site' HTTP header is passed directly to PostgreSQL's `search_path` without sanitization.
π΅οΈ **Privileges**: Unauthenticated access required. πΎ **Data**: Full database manipulation, information disclosure, and potential **OS command execution** via PostgreSQL functions.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: LOW. π **Auth**: **No authentication** needed. π **Config**: Exploitable via standard HTTP requests to the `/api/v1/init_consts` endpoint.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp?**: YES. π **PoC**: Available via ProjectDiscovery Nuclei templates. π **Status**: High risk of automated wild exploitation due to easy PoC availability.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for FortiClientEMS v7.4.4. π‘ **Indicator**: Check if the `/api/v1/init_consts` endpoint is exposed and vulnerable to SQLi via the 'Site' header.
π§ **No Patch?**: Block external access to `/api/v1/init_consts`. π **Mitigation**: Implement WAF rules to sanitize the 'Site' HTTP header and prevent SQL injection patterns.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: CRITICAL. π¨ **Priority**: **P1**. CVSS Score is **High (9.8+)**. Immediate patching or mitigation is required to prevent total system compromise.