Critical FortiClientEMS Flaw Allows Remote Code Execution

A critical security advisory from Fortinet mandates immediate patching for instances of FortiClientEMS. This solution serves as the company’s central management platform for endpoint protection.

The vulnerability, tracked as CVE-2026-21643, carries a CVSSv3 score of 9.1 and could allow unauthenticated, remote attackers to execute arbitrary code or unauthorized commands on affected servers.

The flaw is categorized as an SQL Injection (SQLi) vulnerability, formally identified as an “improper neutralization of special elements used in an SQL Command” (CWE-89).

It resides specifically within the Graphical User Interface (GUI) component of the software. Because the input sanitization is insufficient, an attacker can manipulate database queries by sending specifically crafted HTTP requests.

This effectively bypasses authentication barriers, granting the attacker control over the underlying system without needing valid credentials.

This is particularly dangerous for enterprise environments, as FortiClientEMS is typically the central hub for managing endpoint security policies, antivirus deployments, and compliance reporting across an organization’s network.

A successful compromise here could serve as a beachhead for lateral movement into the wider network or allow for the deployment of ransomware.

Affected Versions

According to the Fortinet advisory, the vulnerability impacts specific versions of the 7.4 branch. Administrators running FortiClientEMS 7.4.4 are urged to upgrade immediately.

The official remediation path is as follows:

• Upgrade to FortiClientEMS 7.4.5 or above.

Fortinet has confirmed that versions in the 8.0 and 7.2 branches are not affected by this specific flaw. Additionally, an update to the timeline on February 6, 2026, clarified that FortiEMS Cloud instances are also unaffected, removing immediate concern for SaaS customers.

The vulnerability was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, indicating that there is currently no evidence of exploitation in the wild at the time of publication.

However, given the high severity score (9.1) and the low complexity required for exploitation (CVSS vector AV:N/AC:L/PR:N), threat actors are likely to reverse-engineer the patch.

The vulnerability allows for a complete compromise of the CIA triad (Confidentiality, Integrity, and Availability), all rated as “High” impact in the CVSS calculation.

Security teams are advised to review their logs for suspicious HTTP requests targeting the EMS GUI and, where possible, isolate management interfaces from the public internet until the patch can be applied.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.