Fortinet has released important security updates to fix a critical SQL injection (SQLi) vulnerability in FortiClientEMS, a widely used endpoint management solution. If exploited, this flaw could allow unauthenticated attackers to execute arbitrary code, putting affected systems at serious risk.
The vulnerability is tracked as CVE-2026-21643 and has received a CVSS score of 9.1 out of 10, highlighting its high severity. Organizations using vulnerable versions of FortiClientEMS are strongly advised to apply the patch as soon as possible to prevent potential cyberattacks.
According to Fortinet’s official security advisory, the issue is caused by improper input validation in SQL commands, also known as SQL Injection (CWE-89). This weakness allows attackers to manipulate backend database queries using specially crafted HTTP requests.
Because the attack does not require authentication, a remote attacker could exploit the flaw without valid login credentials. Successful exploitation may allow the attacker to:
Execute unauthorized system commands
Run arbitrary code on the FortiClientEMS server
Potentially take full control of the affected system
Access or modify sensitive data
This makes CVE-2026-21643 particularly dangerous, especially for organizations exposing FortiClientEMS to the internet or using weak network segmentation.
Fortinet has confirmed which versions of FortiClientEMS are impacted by the vulnerability. The affected and unaffected versions are listed below:
Affected Version
FortiClientEMS 7.4.4 – Users must upgrade immediately
Not Affected
FortiClientEMS 7.2
FortiClientEMS 8.0
Recommended Fix
Upgrade FortiClientEMS 7.4.4 to version 7.4.5 or later
Applying the update fully resolves the SQL injection flaw and prevents exploitation.
The vulnerability was discovered and responsibly reported by Gwendal Guégniaud from the Fortinet Product Security Team. At the time of disclosure, Fortinet stated that there is no evidence of active exploitation of CVE-2026-21643 in the wild.
However, cybersecurity experts consistently warn that publicly disclosed critical vulnerabilities are often exploited shortly after release, especially when proof-of-concept exploits become available.
Even though there is currently no confirmation of real-world attacks exploiting this specific FortiClientEMS flaw, delaying patching can significantly increase risk. Threat actors frequently scan the internet for unpatched systems, and SQL injection vulnerabilities remain one of the most commonly abused attack vectors.
Failure to apply updates could result in:
Unauthorized access to enterprise networks
Malware deployment
Lateral movement within the environment
Data theft or service disruption
For businesses relying on Fortinet products to secure endpoints and manage devices, prompt remediation is essential.
This disclosure comes shortly after Fortinet patched another critical vulnerability affecting several of its products, including:
FortiOS
FortiManager
FortiAnalyzer
FortiProxy
FortiWeb
This second vulnerability, tracked as CVE-2026-24858, has a CVSS score of 9.4 and is even more severe due to confirmed active exploitation in the wild.
According to Fortinet, attackers are abusing this flaw when FortiCloud Single Sign-On (SSO) authentication is enabled. An attacker with:
A valid FortiCloud account, and
At least one registered device,
can gain unauthorized access to other devices registered under different FortiCloud accounts.
Threat actors have already used this vulnerability to:
Create local administrator accounts for persistence
Modify device configurations
Grant VPN access to malicious accounts
Exfiltrate firewall configurations
This confirms that Fortinet products are actively being targeted, making it even more important to apply all security patches without delay.
To reduce risk and strengthen security, organizations using Fortinet products should take the following steps:
Immediately upgrade FortiClientEMS 7.4.4 to version 7.4.5 or later
Review exposure of FortiClientEMS to external networks
Apply all recent Fortinet security updates across products
Monitor logs for unusual or unauthorized activity
Restrict access to management interfaces whenever possible
Proactive patch management remains one of the most effective defenses against cyber threats.
The release of patches for CVE-2026-21643 highlights the ongoing importance of securing enterprise software against high-impact vulnerabilities like SQL injection. While Fortinet has acted quickly to address the issue, the responsibility now lies with system administrators and security teams to apply the fixes.
Given the recent active exploitation of other Fortinet vulnerabilities, organizations should assume attackers are closely watching unpatched systems. Keeping FortiClientEMS and other Fortinet products up to date is critical to maintaining a strong security posture in today’s evolving threat landscape.
Interesting Article : BeyondTrust CVE-2026-1731 Pre-Auth RCE Flaw in Remote Support and PRA