Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated SQL Injection RCE in Fortinet FortiClient EMS

IdentifiersCVE-2026-21643CWE-89· Improper Neutralization of Special…Also known asfg_ir_25_1142

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS). The provided content identifies the flaw as an improper neutralization of special elements used in an SQL command and states it affects the FortiClient EMS administrative interface, with multiple references specifically calling out version 7.4.4 and broader reporting indicating affected 7.4.x releases up to the fixed build. Technical analysis cited in the content attributes the issue to improper input validation in middleware handling of the HTTP Site header before database connection setup. According to that analysis, attacker-controlled Site header data is used to construct a PostgreSQL search_path value without sufficient sanitization, enabling pre-authentication SQL injection via crafted HTTP requests. Successful exploitation can lead to unauthorized code or command execution on the EMS server. The vulnerability has been reported as actively exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The impact is critical. An unauthenticated remote attacker can exploit the vulnerable EMS web interface to execute unauthorized SQL statements and achieve unauthorized code or command execution on the FortiClient EMS server. Because EMS is a centralized endpoint management platform, compromise can expose sensitive databases, alter EMS configuration, create or modify administrative state, push malicious changes to managed endpoint security policies, deploy secondary payloads, and provide a foothold for broader enterprise compromise. The content also notes active exploitation in the wild, increasing operational risk for exposed systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict FortiClient EMS management access to trusted internal networks only, place any remote administrative access behind a VPN, and reduce internet exposure of the EMS web interface. The content also states that disabling multitenancy can prevent the vulnerable Site-header code path from being exercised, providing a temporary mitigation. Defenders should additionally monitor for unusual activity involving the /api/v1/init_consts endpoint, HTTP 500 responses associated with exploitation attempts, unexpected configuration changes, unauthorized accounts, privilege escalation, and suspicious processes spawned by EMS services.

Remediation

Patch, then assume compromise.

Upgrade FortiClient EMS to a fixed version. The content states the fix path for vulnerable 7.4.4 deployments is to move to 7.4.5 or later, and other reporting recommends updating to the latest available EMS release rather than remaining on older 7.4.x builds. Where applicable, apply Fortinet hotfixes referenced in PSIRT guidance for supported versions. Given the active exploitation status, remediation should be treated as urgent.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FortinetForticlientemsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

153 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

153 SOURCESView more in app
thecybersecguruNews
Jun 17, 2026
FortiBleed: How 75,000 Fortinet Firewalls Were Silently Compromised in 2026 | The CyberSec Guru

A FortiClient EMS vulnerability mentioned as being under active exploitation during the same period as the FortiBleed campaign; no further technical details are provided in the content.

Read more
bleeping computerNews
Jun 16, 2026
Critical Fortinet FortiSandbox flaws now exploited in attacks

A critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) that was patched and later flagged as actively exploited.

Read more
darkwebinformerNews
May 28, 2026
One Forged Header: Unauthenticated Authentication Bypass in Fortinet FortiClient EMS (CVE-2026-35616)

An unauthenticated SQL injection vulnerability in FortiClient EMS 7.4.4 that was also exploited in the wild.

Read more
cyberthroneNews
May 16, 2026
Fortinet Patch Tuesday - May 2026 - TheCyberThrone

A critical vulnerability in FortiClient Enterprise Management Server that was later flagged as actively exploited.

Read more
+37 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity109

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21643
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21643
MITRE CWE · CWE-89
Improper Neutralization of Special Elements…
Vendor Advisory
fortiguard.fortinet.com/psirt/FG-IR-25-1142
Exploit
github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643