Critical Fortinet FortiClient EMS Vulnerability Exploited Attacks

Threat actors are actively exploiting a critical SQL injection vulnerability impacting Fortinet’s FortiClient Endpoint Management Server (EMS). Identified as CVE-2026-21643, this severe flaw is now under active attack in the wild.

Threat actors have been leveraging this flaw in attacks starting four days ago, despite it not yet appearing on the CISA Known Exploited Vulnerabilities catalog.

The security flaw affects FortiClient EMS version 7.4.4, leaving systems vulnerable to unauthorized remote commands.

Fortinet has assigned this issue a critical CVSS score of 9.1, reflecting its severe potential impact on enterprise environments. The structured details of the vulnerability are outlined below to assist security teams with rapid threat classification.

FortiClient EMS Vulnerability Exploited

Recent Defused Cyber telemetry confirms that exploitation campaigns targeting internet-facing servers have successfully commenced.

According to Shodan data, nearly 1,000 instances of FortiClient EMS are currently publicly exposed, providing a substantial attack surface for threat actors.

In observed attacks, threat actors are bypassing security controls by smuggling malicious SQL statements through the Site header within an HTTP GET request.

A recorded payload targeting the /api/v1/init_consts endpoint demonstrates attackers injecting commands such as Site: x'; SELECT pg_sleep(4)--. This specific attack was observed originating from the threat actor IP address 104.192.92.135.

Discovered internally by Gwendal Guégniaud of Fortinet’s Product Security team, the flaw was officially disclosed on February 6, 2026.

The vulnerability stems from the improper neutralization of special elements within SQL commands in the FortiClient EMS administrative web interface. Because the software fails to properly sanitize user-supplied input, unauthenticated attackers can remotely execute arbitrary code.

Unauthenticated attackers can exploit this flaw without valid credentials, enabling them to completely compromise vulnerable endpoint management servers.

Successful exploitation allows threat actors to steal sensitive enterprise data, deploy secondary malware payloads, or move laterally across the internal network. The lack of authentication requirements makes this a highly attractive target for initial access brokers and ransomware affiliates.

Security teams must actively monitor their network traffic logs for anomalous HTTP GET requests directed at the administrative interface.

Defenders should specifically search for unexpected characters or SQL commands injected into the Site header, particularly attempts to execute time-based SQL injection functions. Identifying these specific indicators of compromise is crucial for detecting unauthorized access attempts before full exploitation occurs.

System administrators should rapidly inventory their external attack surface to identify any publicly exposed deployments running version 7.4.4. Upgrading to version 7.4.5 is the only definitive mitigation, and organizations should prioritize this update within their emergency patch management cycles. FortiClient EMS versions 7.2, 8.0, and the FortiEMS Cloud environments remain entirely unaffected by this security flaw.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.