Fortinet FortiClient EMS - Critical Flaw Actively Exploited
There's a serious security hole in Fortinet's software that lets hackers sneak in and take control of systems without needing a password. This can lead to them stealing important information or causing other damage. If you're using this software, you need to update it right away to stay safe.
A critical SQL injection vulnerability in Fortinet's FortiClient EMS is actively being exploited, allowing attackers to execute arbitrary code on vulnerable systems.
Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, tracked as CVE-2026-21643. This SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClient EMS GUI via maliciously crafted HTTP requests. The flaw, discovered by Gwendal Guégniaud of Fortinet's Product Security team, affects FortiClient EMS version 7.4.4 and has been assigned a critical CVSS score of 9.1, indicating its severe potential impact on enterprise environments.
According to threat intelligence company Defused, exploitation campaigns targeting internet-facing servers began four days ago, despite the vulnerability not yet being listed on the CISA Known Exploited Vulnerabilities catalog. The vulnerability allows attackers to bypass security controls by smuggling malicious SQL statements through the 'Site' header within an HTTP GET request. Shodan data reveals that nearly 1,000 instances of FortiClient EMS are currently publicly exposed, creating a significant attack surface.
In observed attacks, threat actors have been seen injecting commands such as 'Site: x'; SELECT pg_sleep(4)--' into the /api/v1/init_consts endpoint, demonstrating the ease of exploitation. Successful exploitation enables attackers to steal sensitive enterprise data, deploy secondary malware payloads, or move laterally across internal networks. The lack of authentication requirements makes this flaw particularly appealing to initial access brokers and ransomware affiliates.
Security teams are urged to actively monitor network traffic logs for anomalous HTTP GET requests directed at the administrative interface, specifically looking for unexpected characters or SQL commands injected into the Site header. Identifying these indicators of compromise is crucial for detecting unauthorized access attempts before full exploitation occurs. Fortinet has advised that upgrading to version 7.4.5 is the only definitive mitigation, and organizations should prioritize this update within their emergency patch management cycles. Notably, FortiClient EMS versions 7.2, 8.0, and the FortiEMS Cloud environments remain unaffected by this security flaw.