Critical Fortinet FortiClient EMS SQL Injection Vulnerability Exploited in the Wild
Take action: If you are using FortiClientEMS this is urgent: Make sure the management interface is isolated from the internet and accessible only from trusted networks. Then plan an immediate patch if you are on 7.4 versions. Attackers are exploiting this flaw.
Learn More
Fortinet is facing active exploitation of a critical SQL injection vulnerability in its FortiClient Endpoint Management Server (EMS) platform.
The flaw, tracked as CVE-2026-21643 (CVSS score 9.1), a SQL injection vulnerability in the FortiClientEMS GUIallows allows an unauthenticated attackers to run arbitrary commands on unpatched systems via maliciously crafted HTTP requests.
Threat intelligence data shows that exploitation began in late March 2026. This attack can result in full system compromise, enabling the execution of unauthorized OS commands with high privileges. Internet scanners identified over 2,000 exposed FortiClient EMS instances globally, most IPs are located in the United States and Europe.
The vulnerability was discovered internally by Fortinet's security team and specifically affects FortiClient EMS version 7.4.4. Organizations running this version are vulnerable to remote takeover if their management interface is accessible from the public internet.
Organizations should immediately upgrade their installations to FortiClient EMS version 7.4.5 or later to resolve the issue. Restrict access to the management GUI so it is only reachable through a secure VPN or from specific, trusted internal IP addresses. Organizations should also check their logs for suspicious HTTP requests containing SQL syntax in the 'Site' header to determine if they were targeted before applying the update.
