Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)

A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient Endpoint Management Server (EMS), a management server for FortiClient endpoint agents on various platforms, is under active exploitation.

The warning comes from Defused Cyber, which helps organizations deploy honeypots/fake assets, and uses them as well to capture real attack attempts and exploits and provide early warning threat intelligence.

“Currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists, [CVE-2026-21643] has seen first exploitation already 4 days ago according to our data,” the company stated on Sunday.

About CVE-2026-21643

CVE-2026-21643, discovered internally by Gwendal Guégniaud of Fortinet Product Security team, is caused by an improper neutralization of special elements used in an SQL command.

It can be exploited by remote, unauthenticated attackers by sending specially crafted HTTP requests to internet-exposed FortiClient EMS administrative interface, and may allow them to execute unauthorized code or commands

CVE-2026-21643 affects only deployments running FortiClientEMS v7.4.4. The flaw has been fixed in December 2026, in version 7.4.5.

In early March 2026, Bishop Fox researchers published a technical analysis of the flaw and pinpointed practical exploitation paths.

“FortiClient EMS has supported multi-tenant deployments since before version 7.4.4, allowing a single instance to manage multiple customer sites. Version 7.4.4 refactored the middleware stack and database connection layer as part of this feature’s evolution and, in doing so, introduced a critical flaw: the HTTP header used to identify which tenant a request belongs to is now passed directly into a database query without sanitization, and this happens before any login check,” they explained.

“An attacker who can reach the EMS web interface over HTTPS needs no credentials to exploit this. A single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database. This gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints.”

Upgrade to a fixed version

According to Fortinet’s advisory, FortiClientEMS branches 7.2 and 8.0 are not affected.

Bishop Fox researchers advised organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled should upgrade to 7.4.5 immediately. “Single-site deployments are not affected,” they added.

Defused Cyber says that, according to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed. How many of those are running the vulnerable software version in multi-tenant mode is unknown.

Fortinet has yet to confirm exploitation of CVE-2026-21643.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!