A critical vulnerability in Fortinet’s FortiClient EMS platform is now being actively exploited in real‑world attacks, according to threat‑intelligence firm Defused. Tracked as CVE‑2026‑21643, this SQL injection bug affects FortiClient EMS version 7.4.4 and allows unauthenticated attackers to run arbitrary code or commands through the platform’s web interface. The flaw can be triggered by specially crafted HTTP requests that smuggle malicious SQL statements via the Site header, giving an attacker a powerful foothold on unpatched systems.
Modus operandi
The vulnerability lives in the FortiClient EMS GUI, which organizations use to manage and deploy Forticlient endpoints across their networks. By manipulating the Site header in an HTTP request, an attacker can inject SQL code into the back‑end database, bypassing authentication entirely. This “low‑complexity” attack vector means that even unsophisticated adversaries can weaponize the bug if they can reach the exposed web interface. Because the flaw is critical, it can lead to full system compromise, data theft, or a springboard into a broader corporate network.
Defused reported that it observed the first exploitation of CVE‑2026‑21643 just four days after the initial vulnerability disclosures. The firm noted that over 900 FortiClient EMS instances are publicly exposed on the internet according to Shodan data, giving attackers a large pool of potential targets. Meanwhile, Internet‑security watchdog Shadowserver is tracking more than 2,000 exposed FortiClient EMS web interfaces, with over 1,400 IPs located in the United States and Europe. Despite this, Fortinet has not yet updated its advisory to mark the bug as “exploited in the wild,” even though a local media outlet reached out to confirm active attacks.
Fortinet vulnerabilities have repeatedly been abused in ransomware and cyber‑espionage campaigns, often as zero‑days while patches are still rolling out. In the case of FortiClient EMS, prior SQL injection flaws were exploited in ransomware attacks and by state‑sponsored groups such as China’s “Salt Typhoon” to breach telecom providers. CISA has already flagged 24 Fortinet vulnerabilities as known‑exploited, 13 of which were tied directly to ransomware. That history makes this new FortiClient EMS bug a high‑priority item for organizations relying on Fortinet for endpoint security.
Mitigation tips
Fortinet recommends upgrading affected FortiClient EMS systems to version 7.4.5 or later to close the CVE‑2026‑21643 vulnerability. Organizations should also review their internet‑exposed EMS interfaces and, where possible, restrict access behind VPNs or firewalls instead of leaving the GUI wide open online. In parallel, IT and security teams should hunt for anomalous database or system‑level activity that might indicate prior exploitation, such as unexpected command execution or lateral movement from the EMS server. Given Fortinet’s track record as a prime target for ransomware actors, patching this flaw quickly and validating exposure can significantly reduce the risk of a major breach.