Critical SQL Injection in FortiClient EMS Multi-Tenant Mode
Fortinet FortiClient Endpoint Management Server (EMS) contains a critical unauthenticated SQL injection vulnerability, tracked as CVE-2026-21643 with a CVSS score of 9.1, affecting version 7.4.4 when multi-tenant mode is enabled. The flaw was introduced during a middleware refactor that changed database connection and tenant routing logic, allowing the HTTP Site header to be passed into a PostgreSQL search_path query without proper validation. Because the vulnerable middleware executes before authentication, an attacker can send a crafted HTTPS request and run arbitrary SQL commands without valid credentials.
Research cited in the coverage says the publicly exposed /api/v1/init_consts endpoint is the most practical attack path because it can reveal whether multi-tenant mode is active, lacks rate limiting, and returns PostgreSQL error messages that support efficient error-based data extraction. Successful exploitation can lead to full compromise of the EMS management database and exposure of sensitive information. Commentary in the related podcast segment reinforces that the bug was introduced by the 7.4.4 refactoring and fixed in 7.4.5, highlighting how code refactoring can create serious security regressions when input handling and validation are not preserved.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-21643 to KEV and orders remediation
CISA added Fortinet FortiClient EMS flaw CVE-2026-21643 to its Known Exploited Vulnerabilities catalog on 2026-04-13, formally confirming active exploitation. The agency ordered U.S. federal civilian agencies to remediate by 2026-04-16 and urged other organizations to patch immediately.
Defused reports active exploitation of CVE-2026-21643
Threat intelligence firm Defused reported that attackers are actively exploiting CVE-2026-21643 against unpatched FortiClient EMS systems. The report said internet exposure was substantial, with roughly 1,000 to more than 2,000 exposed instances observed via Shodan and Shadowserver, while Fortinet's advisory had not yet been updated to note in-the-wild abuse.
Defused says CVE-2026-21643 exploitation has been observed since March 24
Researchers said active intrusions exploiting FortiClient EMS flaw CVE-2026-21643 have been observed since 2026-03-24. The activity targeted vulnerable FortiClient EMS 7.4.4 systems via SQL injection in the HTTP Site header, indicating exploitation began days before public reporting on the attacks.
CVE-2026-21643 details and exploitation path are publicly disclosed
Public reporting identified the bug as CVE-2026-21643, rated CVSS 9.1, and described how unauthenticated attackers could exploit the HTTP Site header against the publicly accessible /api/v1/init_consts endpoint to achieve arbitrary SQL execution. Reporting also noted risks including database compromise and possible remote code execution due to PostgreSQL superuser privileges, along with mitigations such as upgrading, disabling multi-tenant Sites, and restricting EMS web access.
Fortinet fixes the FortiClient EMS flaw in version 7.4.5
Fortinet patched the SQL injection vulnerability in FortiClient EMS in release 7.4.5, the version immediately following the affected 7.4.4 release. The fix removed the vulnerable behavior introduced in the prior version.
Fortinet introduces SQL injection flaw in FortiClient EMS 7.4.4
A format-string interpolation issue was introduced during a refactoring effort in FortiClient Endpoint Management Server version 7.4.4. The defect created a critical SQL injection condition affecting deployments with multi-tenant mode enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in Attacks
cybersecuritynews.com
Open sourceCritical Fortinet FortiClient EMS vulnerability under attack | brief | SC Media
scworld.com
Open sourceCritical Fortinet FortiClient EMS flaw exploited for Remote Code Execution
securityaffairs.com
Open sourceCritical Fortinet Forticlient EMS Vulnerability Exploited in Attacks - Cyber Security News
cybersecuritynews.com
Open sourceCritical Fortinet Forticlient EMS flaw now exploited in attacks
bleepingcomputer.com
Open sourceCritical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643) - Help Net Security
helpnetsecurity.com
Open sourceCritical FortiClient SQL Injection vulnerability Enables Arbitrary Database Access
cybersecuritynews.com
Open sourceCreating Better Security Guidance and Code with LLMs - Mark Curphey - ASW #374 | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Mar 21, 2026
Active Exploitation of FortiClient EMS Authentication Bypass Enables Remote Code Execution
Fortinet disclosed a critical FortiClient Endpoint Management Server flaw, **CVE-2026-35616**, caused by improper access control in the EMS API that lets a remote, unauthenticated attacker bypass authentication and authorization and potentially execute code or commands on the host. Fortinet and CISA said the bug is being actively exploited as a zero-day, with affected versions identified as **FortiClientEMS 7.4.5 through 7.4.6**; the vendor directed customers to upgrade to **7.4.7** or apply available hotfixes. Reporting and public tooling indicate attackers have been scanning for exposed EMS instances and targeting enterprise environments including government, healthcare, and cryptocurrency organizations. Security researchers published detection guidance and an exposure-checking tool for internet-facing systems, while defenders were urged to restrict external access to EMS, review logs for suspicious API activity, and assess whether exploitation may have been paired with other recently disclosed FortiClient EMS weaknesses such as **CVE-2026-21643**.
May 29, 2026
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Apr 20, 2026