Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.
In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
EXPLORE MORE
The Bibi Files: A Cinematic Dissection of Power, Privilege, and Prosecution
The documentary The Bibi Files, directed by Alexis Bloom and produced by…
Satellite Intel: Iranian Strikes Hit Airbases in Kuwait and Bahrain
New satellite imagery circulating through Iranian media has revealed the aftermath of…
Trump budget plan cuts billions of dollars to pro-LGBT programs, targets gender ‘extremism’
WASHINGTON, D.C. — The Trump administration’s budget proposal for the 2027 fiscal…
Why “Sky Shaker” is the Arcade Flight Combat King of 2026
While the real-world skies over Iran and the Persian Gulf are filled…
Dutch Ministry of Finance takes treasury systems offline amid cyber incident investigation
The Dutch Ministry of Finance took treasury banking portal offline after a…
Missing Juvenile Giyanna Lorenzo -Numez from the 14th District
The Philadelphia Police Department is requesting the public’s assistance in locating a…
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Despite not yet appearing in major exploited lists, real-world attacks have already been observed.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.
