Overview
- Threat intelligence firm Defused reports real-world attacks over the weekend against exposed FortiClient Endpoint Management Server consoles.
- The critical flaw in version 7.4.4 lets an unauthenticated request inject SQL through the Site HTTP header into the database before any login check.
- Bishop Fox detailed an abuse path via the /api/v1/init_consts endpoint and showed attackers can pull admin credentials, device inventories, policies, and endpoint certificates.
- Public proof-of-concept code is now available, which raises the risk for organizations that have not upgraded or restricted access.
- Fortinet fixed the bug in 7.4.5 and many EMS web interfaces remain online — Shodan counts about 1,000 and Shadowserver tracks over 2,000 — while Fortinet and CISA have not flagged confirmed exploitation.