Critical SQL Injection Vulnerability in Fortinet FortiClientEMS Allows Remote Code Execution
Take action: If you are using FortiClientEMS make sure the management interface is isolated from the internet and accessible only from trusted networks. Then plan a quick patch if you are on 7.4 versions. Attackers will start exploting this very soon.
Learn More
Fortinet patched a critical flaw in FortiClientEMS, its central management solution for endpoint protection. FortiClientEMS serves as the central hub for managing security policies, antivirus deployments, and compliance across an entire enterprise network.
The vulnerability is tracked as CVE-2026-21643 (CVSS score 9.1), an SQL Injection (SQLi) vulnerability in the Graphical User Interface (GUI) component caused by improper neutralization of special elements in SQL commands.
Attackers can send specifically crafted HTTP requests to the GUI to manipulate database queries and bypass authentication barriers. This mechanism allows the attacker to gain control over the underlying system and run commands without credentials.
A successful exploit grants full control over the management server, which attackers can use as a base for lateral movement into the wider corporate network
The vulnerability affects FortiClientEMS version 7.4.4. Fortinet confirmed that versions in the 8.0 and 7.2 branches are not affected by this flaw.
The company claims that FortiEMS Cloud instances are not impacted, removing immediate risk for SaaS customers.
Administrators should upgrade affected systems to FortiClientEMS version 7.4.5 or higher. As a standard security measure, organizations should isolate management interfaces from the public internet and restrict access to trusted internal networks or VPNs.
