Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for FortiClient Enterprise Management Server (EMS) warning that CVE-2026-21643 enables unauthenticated remote code execution via an SQL injection flaw (CWE-89) in the product’s GUI/web interface. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise.
The issue is reported as affecting the 7.4 line, with FortiClientEMS 7.4.4 explicitly called out as vulnerable; Fortinet’s recommended remediation is to upgrade to 7.4.5 or later. Fortinet also stated that the 8.0 and 7.2 branches are not affected, and an updated note indicated FortiEMS Cloud/SaaS instances are not impacted, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
NCIIPC India flags CVE-2026-21643 as critical
By February 11, 2026, India's NCIIPC had flagged CVE-2026-21643 as a critical issue for OEM checks, reflecting broader government-sector awareness of the FortiClientEMS vulnerability. Reporting also reiterated that fixes had been available since February 6.
Public reporting notes no evidence of CVE-2026-21643 exploitation
As public coverage of the advisory spread, reports highlighted that Fortinet had not identified evidence of in-the-wild exploitation of CVE-2026-21643 at the time of publication. The company nevertheless urged rapid patching and review of logs for suspicious requests to the EMS GUI.
Canadian Centre for Cyber Security republishes Fortinet advisory
The Canadian Centre for Cyber Security issued alert AV26-096 referencing Fortinet's February 6 advisory for CVE-2026-21643, identifying FortiClientEMS 7.4.4 as affected and urging administrators to review the vendor guidance and apply updates. This amplified official notice of the vulnerability to Canadian defenders.
Fortinet clarifies FortiEMS Cloud is not affected
A February 6, 2026 advisory timeline update clarified that FortiEMS Cloud is unaffected by CVE-2026-21643. This narrowed the impact to affected on-premises FortiClientEMS deployments, specifically version 7.4.4.
Fortinet publishes advisory and patches CVE-2026-21643
On February 6, 2026, Fortinet published a high-priority security advisory for CVE-2026-21643, a critical SQL injection flaw in FortiClientEMS 7.4.4 that can enable unauthenticated remote code or command execution via crafted HTTP requests. Fortinet released a fix, advised customers to upgrade to version 7.4.5 or later, and stated that the 7.2 and 8.0 branches are not affected.
Fortinet internally discovers FortiClientEMS SQL injection flaw
Fortinet's Product Security team internally identified a critical SQL injection vulnerability in the FortiClientEMS administrative interface, later assigned CVE-2026-21643 and tracked by Fortinet as FG-IR-25-1142. Reporting attributes the discovery to Gwendal Guégniaud of the Fortinet Product Security team.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Critical SQL Injection in FortiClientEMS: CVE-2026-21643 - TheCyberThrone
thecyberthrone.in
Open sourceFortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution
thehackernews.com
Open sourceCritical Fortinet FortiClientEMS flaw allows remote code execution
securityaffairs.com
Open sourceFortinet security advisory (AV26-096) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCritical FortiClientEMS Vulnerability Let Attackers Execute Malicious Code Remotely
cybersecuritynews.com
Open sourceEndpoint Exposed: Critical FortiClient EMS Flaw (CVSS 9.1) Allows Unauthenticated RCE
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Apr 20, 2026
Critical SQL Injection in FortiClient EMS Multi-Tenant Mode
**Fortinet FortiClient Endpoint Management Server (EMS)** contains a critical unauthenticated SQL injection vulnerability, tracked as **CVE-2026-21643** with a **CVSS score of 9.1**, affecting **version 7.4.4** when **multi-tenant mode** is enabled. The flaw was introduced during a middleware refactor that changed database connection and tenant routing logic, allowing the HTTP `Site` header to be passed into a PostgreSQL `search_path` query without proper validation. Because the vulnerable middleware executes before authentication, an attacker can send a crafted HTTPS request and run arbitrary SQL commands without valid credentials. Research cited in the coverage says the publicly exposed `/api/v1/init_consts` endpoint is the most practical attack path because it can reveal whether multi-tenant mode is active, lacks rate limiting, and returns PostgreSQL error messages that support efficient error-based data extraction. Successful exploitation can lead to **full compromise of the EMS management database** and exposure of sensitive information. Commentary in the related podcast segment reinforces that the bug was introduced by the **7.4.4 refactoring** and fixed in **7.4.5**, highlighting how code refactoring can create serious security regressions when input handling and validation are not preserved.
Apr 14, 2026
Active Exploitation of FortiClient EMS Authentication Bypass Enables Remote Code Execution
Fortinet disclosed a critical FortiClient Endpoint Management Server flaw, **CVE-2026-35616**, caused by improper access control in the EMS API that lets a remote, unauthenticated attacker bypass authentication and authorization and potentially execute code or commands on the host. Fortinet and CISA said the bug is being actively exploited as a zero-day, with affected versions identified as **FortiClientEMS 7.4.5 through 7.4.6**; the vendor directed customers to upgrade to **7.4.7** or apply available hotfixes. Reporting and public tooling indicate attackers have been scanning for exposed EMS instances and targeting enterprise environments including government, healthcare, and cryptocurrency organizations. Security researchers published detection guidance and an exposure-checking tool for internet-facing systems, while defenders were urged to restrict external access to EMS, review logs for suspicious API activity, and assess whether exploitation may have been paired with other recently disclosed FortiClient EMS weaknesses such as **CVE-2026-21643**.
May 29, 2026