Executive Summary
Fortinet has released an emergency patch for CVE-2026-21643, a critical SQL injection vulnerability in FortiClientEMS 7.4.4 that allows unauthenticated remote code execution via specially crafted HTTP requests.
CVSS Score: 9.8 (Critical)
No active exploitation has been reported yet, but given the unauthenticated attack vector and maximum severity score, exploitation is expected imminently.
Vulnerability Details
Root Cause
An improper neutralization of special elements in SQL commands ("SQL Injection") in the FortiClientEMS web interface allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying database and potentially achieve code execution on the server.
Attack Vector
| Attribute | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Versions
| Version | Affected | Action |
|---|---|---|
| FortiClientEMS 7.4.4 | Yes | Upgrade to 7.4.5+ |
| FortiClientEMS 7.2.x | No | Not affected |
| FortiClientEMS 8.0.x | No | Not affected |
Important: Only version 7.4.4 is affected. Organizations running 7.2.x or 8.0.x do not need to take action for this specific CVE.
Why This Is Critical
FortiClientEMS is a centralized endpoint management server that controls FortiClient deployments across an organization. Compromising it gives an attacker:
- Control over all managed endpoints — Push malicious configurations or software to every connected FortiClient
- Network visibility — Access telemetry data from all managed devices
- Credential access — Potentially harvest VPN credentials and certificates stored on the server
- Lateral movement — Use the management infrastructure as a pivot point into the broader network
Fortinet Products Are APT Targets
Fortinet products have been repeatedly targeted by nation-state actors:
| Threat Actor | Fortinet Target | Year |
|---|---|---|
| UNC3886 | FortiGate, FortiManager | 2023-2026 |
| Volt Typhoon | FortiGate VPN | 2024-2025 |
| Various APTs | FortiOS SSL VPN | 2023-2024 |
Remediation
Option 1: Upgrade (Recommended)
Upgrade FortiClientEMS to version 7.4.5 or later immediately.
Option 2: Network Restrictions (Temporary)
If immediate upgrade is not possible:
- Restrict access to the FortiClientEMS web interface to trusted management networks only
- Block internet-facing access to FortiClientEMS administrative ports
- Monitor access logs for unusual HTTP request patterns
Option 3: WAF Protection (Temporary)
Deploy WAF rules to detect and block SQL injection patterns targeting FortiClientEMS endpoints.
Detection
Log Indicators
Monitor FortiClientEMS logs for:
- Unusual HTTP requests to administrative endpoints
- Database errors or unexpected query patterns
- Authentication bypass attempts
- Unexpected process execution on the EMS server
Network Detection
Monitor for:
- HTTP requests to FortiClientEMS with SQL injection patterns
- Unusual outbound connections from EMS servers
- Database protocol traffic from EMS to unexpected destinations
References
- The Hacker News — Fortinet Patches Critical SQLi Flaw
- Arctic Wolf — CVE-2026-21643 Analysis
- SOC Prime — CVE-2026-21643 Detection