Fortinet FortiClient EMS - Critical SQL Injection Under Active Attack
There's a serious flaw in Fortinet's software that lets hackers sneak in and control systems without needing a password. They can do this by sending special messages that trick the software. This is a big deal because it can let them steal sensitive information or cause other problems. Companies using this software need to update it right away to fix the issue.
Fortinet FortiClient EMS is facing active exploitation of a critical SQL injection vulnerability, CVE-2026-21643, affecting version 7.4.4. Organizations are urged to upgrade to version 7.4.5 immediately.
A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient Endpoint Management Server (EMS) is under active exploitation, with reports indicating that threat actors began leveraging this flaw just four days ago. This vulnerability, which affects FortiClient EMS version 7.4.4, allows unauthenticated attackers to execute arbitrary code by sending specially crafted HTTP requests to the administrative interface of the server. Despite not yet appearing on the CISA Known Exploited Vulnerabilities catalog, the severity of this flaw is underscored by Fortinet's assignment of a CVSS score of 9.1, indicating a critical risk to enterprise environments.
Telemetry from Defused Cyber confirms that exploitation campaigns targeting internet-facing servers have commenced, with nearly 1,000 instances of FortiClient EMS publicly exposed according to Shodan data. Attackers have been observed bypassing security controls by injecting malicious SQL statements through the Site header within an HTTP GET request. For example, a payload targeting the /api/v1/init_consts endpoint has been recorded, demonstrating the potential for attackers to execute commands such as Site: x'; SELECT pg_sleep(4)--.
The vulnerability was discovered by Gwendal Guégniaud of Fortinet’s Product Security team and stems from improper neutralization of special elements within SQL commands. This flaw allows attackers to completely compromise vulnerable endpoint management servers, steal sensitive data, deploy secondary malware, or move laterally within the network. Security teams are advised to monitor network traffic for anomalous HTTP GET requests directed at the administrative interface, particularly those containing unexpected SQL commands.
Organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled must upgrade to version 7.4.5 immediately to mitigate this risk. FortiClient EMS versions 7.2, 8.0, and FortiEMS Cloud environments are unaffected by this vulnerability.