![Wanted: Suspect for Homicide in the 18th District [VIDEO]](https://thephillypi.com/wp-content/uploads/2026/05/Wanted-Suspect-for-Homicide-in-the-18th-District-VIDEO-330x220.jpg "Wanted: Suspect for Homicide in the 18th District [VIDEO]")
Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.
In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
EXPLORE MORE
APT28 conducts long-term espionage on Ukrainian forces using custom malware
APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel,…
Wanted: Suspects for Robbery/Sexual Assault in the 9th District
On Saturday, April 25, 2026, at 4:40 a.m., several males forced their…
JK Rowling calls attention to detransitioner’s story, gender ideology’s ‘cultish culture’
(LifeSiteNews) — In a post to X, J.K. Rowling again took aim at…
Attack on Stryker’s Microsoft environment wiped employee devices without malware
The recent cyberattack on Stryker wiped tens of thousands of employee devices…
US Ospreys hover over Venezuelan capital (VIDEO)
Washington’s troops reportedly practiced an evacuation from the recently reopened embassy in…
Missing Person Jaireliz Gonzalez Hernandez from the 22nd District
Missing Person Jaireliz Gonzalez Hernandez from the 22nd District | Philadelphia Police…
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Despite not yet appearing in major exploited lists, real-world attacks have already been observed.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.
