Executive Summary

Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw, classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests. With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management. Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system. While there is currently no evidence of exploitation in the wild, the attack surface and criticality of the flaw make it a high-priority issue for all organizations using the affected product version.

Technical Information

The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface. It is caused by improper neutralization of user-supplied input in SQL queries, a classic SQL injection (SQLi) scenario as defined by CWE-89. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI, resulting in the execution of arbitrary SQL statements. This can lead to unauthorized access, data exfiltration, privilege escalation, and ultimately, remote code execution (RCE) on the underlying system.

The attack vector is network-based, requiring no prior authentication or user interaction. The vulnerability is present in FortiClientEMS version 7.4.4. The issue was discovered by Gwendal Guégniaud of the Fortinet Product Security Team and is documented in the official Fortinet advisory FG-IR-25-1142 and the NVD entry.

The CVSS v3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the attack is remotely exploitable, requires low complexity, does not require privileges or user interaction, and can result in a complete compromise of confidentiality, integrity, and availability.

The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.

From a technical perspective, the flaw is particularly dangerous because it allows attackers to chain SQL injection with command execution, effectively transforming a web application vulnerability into a full system compromise. Attackers can leverage the SQLi to inject malicious payloads, create or modify administrative accounts, and execute arbitrary commands on the host operating system. This level of access can facilitate lateral movement, data theft, and the deployment of additional malware or ransomware.

Exploitation in the Wild

As of the latest available information, there is no public evidence that CVE-2026-21643 has been exploited in the wild. Neither Fortinet nor major cybersecurity news outlets such as The Hacker News have reported active exploitation. However, the criticality of the vulnerability, combined with its unauthenticated remote attack vector, makes it highly attractive to threat actors. Security researchers and community members on platforms like Reddit have described the flaw as a "SQL injection bomb," emphasizing the urgency of patching.

No public proof-of-concept (PoC) exploit code has been released as of this report. Nonetheless, the technical simplicity of SQL injection vulnerabilities and the detailed nature of the advisories suggest that exploit development would not be challenging for skilled attackers. The lack of a public PoC should not be interpreted as a sign of safety; organizations should assume that threat actors are actively researching ways to exploit this flaw.

APT Groups using this vulnerability

At the time of writing, no specific advanced persistent threat (APT) groups have been publicly linked to the exploitation of CVE-2026-21643. Open-source intelligence, the MITRE CVE Threat Actor database, and vendor advisories do not attribute this vulnerability to any known APT campaigns. However, it is important to note that similar SQL injection and remote code execution vulnerabilities in Fortinet products have historically been targeted by both financially motivated cybercriminals and state-sponsored actors.

Given the high value of endpoint management systems as a foothold for lateral movement and privilege escalation, it is likely that APT groups and other sophisticated adversaries will incorporate this vulnerability into their toolkits if unpatched systems remain accessible. Sectors such as government, finance, healthcare, and critical infrastructure should be especially vigilant, as these are frequent targets for APT activity.

Affected Product Versions

The vulnerability affects FortiClientEMS version 7.4.4 exclusively. Other product branches, including FortiClientEMS 7.2, FortiClientEMS 8.0, and FortiEMS Cloud, are not affected according to the official Fortinet advisory.

The patched version is FortiClientEMS 7.4.5 and above. Organizations running the affected version should prioritize upgrading to the latest available release to mitigate the risk.

In summary, the affected and unaffected versions are as follows: Affected: FortiClientEMS 7.4.4 Not affected: FortiClientEMS 7.2 (all versions), FortiClientEMS 8.0 (all versions), FortiEMS Cloud Patched: FortiClientEMS 7.4.5 and later

Workaround and Mitigation

The primary mitigation is to upgrade FortiClientEMS from version 7.4.4 to 7.4.5 or a later release. This update fully addresses the SQL injection vulnerability and eliminates the risk of unauthenticated code execution. Other product branches, such as 7.2, 8.0, and FortiEMS Cloud, do not require action as they are not affected.

In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts. Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface. Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise. Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.

If immediate patching is not possible, consider isolating the affected system from untrusted networks and disabling external access to the management interface until the update can be applied. However, these are only temporary measures and do not provide complete protection against exploitation.

References

Fortinet PSIRT Advisory FG-IR-25-1142, NVD CVE-2026-21643, The Hacker News: Fortinet Patches Critical SQLi Flaw, Reddit: FortiClient EMS Possible unauthenticated SQL Injection

Rescana is here for you

At Rescana, we understand the critical importance of timely vulnerability management and third-party risk reduction. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. We are committed to providing actionable intelligence and expert guidance to help you stay ahead of emerging threats. If you have any questions about this advisory or require further assistance, our team is ready to help at ops@rescana.com.