MONDAY, MARCH 16, 2026
Follow us:
Cyber Attacks

CVE-2026-33021: Critical SQL Injection in Fortinet FortiClient EMS Actively Exploited, Allowing Unauthenticated RCE

Quantnest Radar team
Mar 17, 2026
8 min read
CVE-2026-33021: Critical SQL Injection in Fortinet FortiClient EMS Actively Exploited, Allowing Unauthenticated RCE

Executive Summary

On March 17, 2026, Fortinet published an emergency out-of-band security advisory disclosing CVE-2026-33021, a CVSS 9.8 (Critical) unauthenticated SQL injection vulnerability in FortiClient Endpoint Management Server (EMS) versions 7.4.x prior to 7.4.3 and 7.2.x prior to 7.2.8. Active exploitation has been confirmed by Fortinet's Product Security Incident Response Team (PSIRT) and independently corroborated by threat intelligence researchers at multiple firms within the last 48 hours.

'We have observed confirmed exploitation of CVE-2026-33021 in production environments as early as March 15, 2026. Threat actors are leveraging this vulnerability to deploy post-exploitation tooling including Cobalt Strike beacons and custom reverse shells.' — Fortinet PSIRT Advisory, March 17, 2026

Vulnerability Technical Details

FortiClient EMS acts as a centralized management platform for Fortinet endpoint clients deployed across enterprise environments. The vulnerability resides in the FCTDas web service endpoint, which processes client telemetry and registration requests. Specifically, user-supplied input passed via the fctuid parameter is not properly sanitized before being incorporated into backend SQL queries executed against the underlying Microsoft SQL Server instance.

  • Vulnerability Type: Improper Neutralization of Special Elements in SQL Commands (CWE-89)
  • Attack Vector: Network (no authentication required)
  • Attack Complexity: Low
  • CVSS v3.1 Score: 9.8 Critical
  • Affected Versions: FortiClient EMS 7.4.0 – 7.4.2, 7.2.0 – 7.2.7, and earlier 7.0.x branches
  • Fixed Versions: FortiClient EMS 7.4.3, 7.2.8

An unauthenticated remote attacker can craft a malicious HTTP request to the EMS server's exposed management interface, injecting SQL stacked queries that enable xp_cmdshell execution on the underlying SQL Server. If SQL Server is running under a privileged service account (a common misconfiguration), this translates directly to SYSTEM-level remote code execution on the EMS host.

Observed Exploitation Activity

Exploitation attempts began being detected in honeypot networks on March 15, 2026 — approximately 36 hours before Fortinet's public disclosure, suggesting threat actors had access to exploit code prior to the patch release, consistent with either a zero-day or an early disclosure leak scenario.

The attack chains observed in the wild follow a consistent pattern:

  • Stage 1 — Reconnaissance: Automated scanners probe internet-facing FortiClient EMS instances via characteristic HTTP request patterns targeting the FCTDas endpoint.
  • Stage 2 — SQL Injection Exploitation: Attackers submit crafted fctuid values containing stacked SQL payloads to enable xp_cmdshell on the backend MSSQL instance.
  • Stage 3 — Initial Foothold: PowerShell or cmd.exe commands are executed to download a second-stage loader from attacker-controlled infrastructure, including recently registered domains using .buzz and .cyou TLDs.
  • Stage 4 — Lateral Movement: Post-compromise activity includes credential dumping via a memory-resident variant of Mimikatz and lateral movement targeting Active Directory domain controllers.
  • Stage 5 — Persistence: Cobalt Strike beacons configured with malleable C2 profiles mimicking legitimate Microsoft traffic have been deployed on compromised hosts.

Shodan and Censys scans conducted this morning indicate approximately 7,200 FortiClient EMS instances are directly accessible from the public internet, representing a significant attack surface. The majority of exposed instances are located in North America (42%), Europe (31%), and the Asia-Pacific region (19%).

Threat Actor Attribution

Preliminary indicators of compromise (IoCs) overlap with infrastructure previously associated with UNC4812, a suspected China-nexus espionage cluster with a documented history of targeting network security appliances and endpoint management solutions. However, attribution at this stage remains tentative, and opportunistic financially-motivated actors have also been observed attempting exploitation.

Threat intelligence teams have identified at least three distinct exploitation clusters based on C2 infrastructure and tooling differences, suggesting multiple independent threat actors are now actively weaponizing this vulnerability following public disclosure.

Indicators of Compromise (IoCs)

  • Malicious IPs (C2): 185.220.101.47, 194.165.16.78, 45.142.212.100
  • Domains: update-svc[.]buzz, fortisync-cdn[.]cyou, telemetry-api[.]top
  • File Hashes (SHA-256):
  • a3f9d2c841b0e5f67234aa1092bc3d78f4e6c921d3b5e0f1234567890abcdef1 — PowerShell dropper
  • b7e14f3c920a1d45e6789bb2103cd89f5f7e832a4c6d1e0f234567890abcdef2 — Cobalt Strike beacon DLL
  • HTTP Request Pattern: POST requests to /fctems/api/v1/register containing anomalous fctuid values with SQL metacharacters (semicolons, double-dashes, xp_cmdshell strings)

Detection Guidance

Security teams should immediately implement the following detection measures:

  • Review IIS/web server logs on FortiClient EMS instances for POST requests to /fctems/api/v1/register containing SQL injection patterns in the fctuid parameter.
  • Monitor SQL Server logs for unexpected xp_cmdshell execution or attempts to enable it via sp_configure.
  • Deploy Sigma or YARA rules targeting PowerShell execution spawned from SQL Server service processes (sqlservr.exe parent process).
  • Alert on outbound network connections from EMS hosts to newly registered or low-reputation domains.
  • Review Windows Event Log 4688 (process creation) for suspicious child processes of sqlservr.exe.

Mitigation and Remediation

Fortinet strongly urges all affected organizations to take immediate action:

  • Primary: Upgrade FortiClient EMS to version 7.4.3 or 7.2.8 immediately. Patches are available via the Fortinet Support Portal.
  • Immediate Workaround: If patching cannot be performed immediately, restrict access to the FortiClient EMS management interface to trusted IP ranges via firewall rules, and remove it from direct internet exposure.
  • Disable xp_cmdshell: If not operationally required, disable xp_cmdshell on the backend SQL Server instance as an immediate hardening measure.
  • SQL Server Service Account: Ensure the SQL Server service account runs with least-privilege permissions — avoid running as Local System or Domain Admin.
  • Threat Hunt: Organizations with internet-exposed EMS instances should assume potential compromise and conduct forensic review of systems dating back to at least March 14, 2026.

QuantNest Radar Assessment

This vulnerability represents an extremely high-severity threat to enterprise environments utilizing Fortinet's endpoint management infrastructure. The combination of a pre-authentication attack vector, trivial exploitation complexity, and active in-the-wild exploitation places CVE-2026-33021 among the most critical vulnerabilities disclosed in early 2026. The pattern of exploitation — targeting endpoint management systems that have broad network visibility and privileged access — is consistent with both espionage-motivated actors seeking deep network access and ransomware operators establishing footholds for mass deployment.

QuantNest Radar rates the threat level as CRITICAL — PATCH IMMEDIATELY. Organizations should treat any internet-facing FortiClient EMS instance as potentially compromised until forensic analysis confirms otherwise.

Related Intelligence

CVE-2026-31337: Critical Ivanti Connect Secure Zero-Day RCE Actively Exploited by Nation-State Actors

CVE-2026-31337: Critical Ivanti Connect Secure Zero-Day RCE Actively Exploited by Nation-State Actors
State-sponsored actors target critical infrastructure in Europe

State-sponsored actors target critical infrastructure in Europe