Overview
CVE-2026-21643 has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The vulnerability is an improper neutralization of SQL commands ("SQL Injection") in Fortinet FortiClient EMS that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted HTTP requests.
CVSS Score: 9.8 (Critical)
Attack Vector: Network
Authentication Required: None
Vulnerability Details
FortiClient EMS is Fortinet's centralized endpoint management server used to deploy and manage FortiClient software across enterprise environments. The SQL injection flaw exists in the web interface and enables an attacker with network access to the EMS server to execute database commands without credentials.
Technical Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21643 |
| CVSS Score | 9.8 Critical |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Impact | RCE / Full Server Compromise |
Affected Versions
| Product | Affected Version | Fix Available |
|---|---|---|
| FortiClient EMS | 7.4.4 | Upgrade to 7.4.5+ |
CISA KEV Addition
CISA's addition of CVE-2026-21643 to the KEV catalog on April 13, 2026 confirms that threat actors are actively exploiting this vulnerability against real-world targets. Federal agencies are required to remediate KEV-listed vulnerabilities within mandated timeframes under Binding Operational Directive 22-01 (BOD 22-01).
Why FortiClient EMS Is High-Value
Compromising FortiClient EMS gives an attacker centralized control over all managed endpoints in the organization:
- Endpoint control — push malicious configurations or updates to all FortiClient-managed devices
- Credential exposure — VPN credentials and certificates stored on the server may be harvested
- Network telemetry — full visibility into managed device network activity
- Lateral movement — use EMS as a pivot point into broader enterprise infrastructure
Fortinet products have historically been targeted by nation-state actors including UNC3886, Volt Typhoon, and various APT groups, making rapid patching essential.
Remediation
Immediate Action Required
- Upgrade FortiClientEMS to version 7.4.5 or later — this is the only fully effective remediation
- If immediate patching is not possible, restrict network access to FortiClientEMS to trusted management IP ranges only
- Block all internet-facing exposure of FortiClientEMS administrative interfaces
Temporary Mitigations
- Restrict HTTP/HTTPS access to FortiClientEMS to known management subnets
- Enable logging on all web requests to EMS for anomaly detection
- Deploy WAF rules to detect SQL injection patterns targeting EMS endpoints
Detection
Monitor FortiClientEMS logs for:
- Unusual or malformed HTTP requests to web API endpoints
- Database errors or unexpected query execution patterns
- Outbound connections from the EMS server to unknown external hosts
- Unexpected process spawning on the EMS host
Indicators of Compromise:
- Anomalous SQL syntax in HTTP request parameters
- Unauthorized commands executed in the MS SQL / EMS database context
- New admin accounts or changed configurations with no corresponding change ticket