SQL injection

Cybersecurity News Security Advisory

Critical Flaw Identified in Fortinet Product ‘FortiClientEMS’; Security Updates Released

Fortinet released security updates for CVE-2026-2164

Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw is classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests.

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

Technical Details

With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management.

The flaws affect the following versions –

  • FortiClientEMS 7.2 (Not affected)
  • FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
  • FortiClientEMS 8.0 (Not affected)

The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface.

Reason for the flaw or vulnerability to appear is caused by improper neutralization of user-supplied input in SQL queries. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI.

This resulted in the execution of arbitrary SQL statements, leading to unauthorized access, data exfiltration, privilege escalation and remote code execution (RCE) on any primary system.

Remediation

Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system.

  • In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts.
  • Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface.
  • Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise.
  • Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.

There is currently no evidence of exploitation in the wild but the flaw has been termed a high-priority issue for all organizations using the affected product version, reason the attack surface is vulnerable.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.

Conclusion:

The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.

In the past similar Fortinet SQL injection and remote code execution vulnerabilities were found in Fortinet products and was targeted by cybercriminals and state-sponsored actors for financial benefits.

Sources: FortiClientEMS CVE-2026-21643: Critical Unauthenticated SQL Injection Vulnerability Allows Remote Code Execution

Security Advisory

Zoho Analytics On-Premise Critical SQL Injection Vulnerability Allows Attackers to Takeover  Data   

Zoho Analytics on-premise installations were recently found to have a SQL Injection vulnerability- CVE-2025-8324  that exposes enterprise environments to risk. The flaw is prevalent in all Zohocorp ManageEngine products, built prior to the most recent patch and enables attackers to exploit weaknesses in the application’s input validation logic.

The flaw enables attackers to execute queries without authentication mainly arbitrary SQL injection, without prior authentication, leading to unauthorized data exposure and account takeovers.

OEM Zoho 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-8324 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview  Malicious actors can launch attacks remotely and takeover user accounts, sensitive analytics data and any connected business intelligence workflows. Administrators are urged to update to the latest version to mitigate this risk. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Unauthenticated SQL Injection  CVE-2025-8324 Zoho Analytics On-Premise  Critical 6171 and later 

Technical Summary 

At the root of this flaw is improper input validation for user-supplied parameters within specific URLs of the Zoho Analytics Plus backend.

This allows arbitrary SQL queries to be executed by anyone with network access to the service, even if they have no login credentials. Zoho has enforced input checks and removing vulnerable backend components altogether.  

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-8324 Zoho Analytics Plus On-Premise An unauthenticated SQL injection vulnerability caused by improper input validation allowing attackers to inject arbitrary SQL queries remotely without authentication.  Account takeover, user data leak 

Recommendations 

  • Organizations must update Zoho Analytics Plus On-Premises immediately to the Build 6171 version or later. 

Here are some recommendations you can follow   

  • Enforce patch deployment across all managed analytics instances to ensure consistency and security. 
  • Continuously monitor logs for unusual SQL query activities or access attempts that could indicate exploitation attempts. 

Conclusion: 
The Zoho Analytics On-Premise deployments, could enable full data and account compromise through unauthenticated SQL injection. CVE-2025-8324 represents a critical security risk, classified at the highest severity level due to its potential impact and ease of exploitation.

Although no active exploitation has been detected to date, the severity of the flaw demands immediate attention. Immediate patching is essential to secure environments and prevent any chance of data compromise or unauthorized access. 

References

Security Advisory

Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall 

Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.

OEM Sophos 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-6704, CVE-2025-7624 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature  CVE-2025-6704 Sophos Firewall Critical   SFOS 21.0 MR2 (21.0.2) and later 
SQL injection vulnerability in legacy SMTP proxy CVE-2025-7624 Sophos Firewall Critical SFOS 21.0 MR2 (21.0.2) and later 

Technical Summary 

The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.  

The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.

SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability. 

CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.

Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-6704 v21.5 GA and older A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices.  Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature 
CVE-2025-7624 v21.5 GA and older An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. Remote code execution via SMTP proxy 

In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed. 

CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8) 

A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.  

CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1) 

 A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution. 

CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8) 

A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code. 

Remediation

Users should immediately update Sophos Firewall to the latest patched version: 

  • For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later. 
  • For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later. 

If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched. 

Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.

Conclusion: 
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.

Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected. 

The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.

References

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Scroll to top