Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/CyberSecurity News/Critical FortiClient EMS flaw exploited in attacks, patch now
CyberSecurity News

Critical FortiClient EMS flaw exploited in attacks, patch now

Key Takeaways A critical SQL injection vulnerability (CVE-2026-21643) in FortiClient EMS is being actively exploited in the wild. The flaw affects FortiClient EMS version 7.4.4, allowing...

David kimber
David kimber
March 30, 2026 3 Min Read
54 0

Key Takeaways

  • A critical SQL injection vulnerability (CVE-2026-21643) in FortiClient EMS is being actively exploited in the wild.
  • The flaw affects FortiClient EMS version 7.4.4, allowing unauthenticated remote code execution.
  • Fortinet has assigned a CVSS score of 9.1, indicating severe potential impact.
  • A patch is available; organizations should upgrade to FortiClient EMS version 7.4.5 immediately.

Cyber adversaries are currently exploiting a severe SQL injection vulnerability within Fortinet’s FortiClient Endpoint Management Server (EMS). This critical flaw, tracked as CVE-2026-21643, presents a significant risk to organizations, with active attacks already observed in production environments.

Table Of Content

  • Key Takeaways
  • FortiClient EMS Vulnerability Exploited
  • What You Should Do

Exploitation campaigns targeting this vulnerability began approximately four days ago, demonstrating the rapid weaponization of such flaws by threat actors, even before official inclusion in prominent registries like the CISA Known Exploited Vulnerabilities catalog.

The specific software version affected by this security issue is FortiClient EMS 7.4.4, which permits unauthorized remote command execution on vulnerable systems.

Fortinet has assessed the vulnerability with a critical CVSS score of 9.1, underscoring its potential for widespread and damaging impact on enterprise networks. This high severity rating highlights the urgent need for defensive measures and rapid remediation.

FortiClient EMS Vulnerability Exploited

Recent intelligence from Defused Cyber confirms that active exploitation campaigns have successfully targeted internet-accessible FortiClient EMS servers. Analysis of Shodan data reveals nearly 1,000 instances of FortiClient EMS are currently exposed to the public internet, providing a substantial attack surface for malicious actors.

Attackers are circumventing security controls by embedding malicious SQL statements within the Site header of HTTP GET requests. This technique allows them to inject arbitrary commands into the server’s database operations.

An observed payload targeting the /api/v1/init_consts endpoint showcased commands such as Site: x'; SELECT pg_sleep(4)--. This specific attack vector was identified originating from the IP address 104.192.92.135.

The vulnerability was initially discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team and officially disclosed on February 6, 2026.

The root cause of the flaw lies in inadequate sanitization of user-supplied input within SQL commands processed by the FortiClient EMS administrative web interface. This improper handling of special characters enables unauthenticated attackers to remotely execute arbitrary code on the server.

Crucially, this vulnerability can be exploited without requiring any authentication credentials, allowing attackers to achieve complete compromise of vulnerable endpoint management servers with ease.

Successful exploitation grants threat actors the ability to exfiltrate sensitive enterprise data, deploy secondary malware payloads such as ransomware, or establish a foothold for lateral movement across the internal network. The absence of authentication requirements makes this an attractive target for initial access brokers and groups involved in ransomware operations.

What You Should Do

  • Immediately upgrade all FortiClient EMS installations to version 7.4.5. This is the only definitive mitigation.
  • Scan your external attack surface to identify any publicly exposed FortiClient EMS deployments running version 7.4.4.
  • Monitor network traffic logs for anomalous HTTP GET requests directed at the administrative interface, specifically looking for unexpected characters or SQL commands injected into the Site header.
  • Prioritize the detection of time-based SQL injection functions or other unusual SQL syntax in HTTP headers as an indicator of compromise.
  • Ensure that FortiClient EMS versions 7.2, 8.0, and FortiEMS Cloud environments are not affected, as these are confirmed to be secure against this particular flaw.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwarePatchransomwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

India Bans Sale of Hikvision, TP-Link, and Other CCTV Products Starting April

Next Post

Critical TeamPCP Supply Chain Attack Compromised Databricks Platform

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us