Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.
In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
EXPLORE MORE
Kazuma Kaneko’s Tsukuyomi announced, new premium release with less gen AI
Japanese developer COLOPL has announced Kazuma Kaneko’s Tsukuyomi, a new premium release…
Revenge of the Neanderthal by Willis A. Carto
The article "Revenge of the Neanderthal," authored by Willis A. Carto and…
Missing Juvenile Woodjina Stephen from the 15th District
The Philadelphia Police Department is seeking the public’s assistance in locating missing…
Bandai Namco’s 2026 Power Move: The Economic Strategy Behind Echoes of Aincrad
As operations across the globe face mounting pressure from regional conflicts and…
What Trump dinner gunman wrote in his manifesto
The armed man who breached security at a press dinner attended by…
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Despite not yet appearing in major exploited lists, real-world attacks have already been observed.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.
