Critical FortiClient EMS flaw exploited in attacks, patch now
Key Takeaways A critical SQL injection vulnerability (CVE-2026-21643) in FortiClient EMS is being actively exploited in the wild. The flaw affects FortiClient EMS version 7.4.4, allowing...
Key Takeaways
- A critical SQL injection vulnerability (CVE-2026-21643) in FortiClient EMS is being actively exploited in the wild.
- The flaw affects FortiClient EMS version 7.4.4, allowing unauthenticated remote code execution.
- Fortinet has assigned a CVSS score of 9.1, indicating severe potential impact.
- A patch is available; organizations should upgrade to FortiClient EMS version 7.4.5 immediately.
Cyber adversaries are currently exploiting a severe SQL injection vulnerability within Fortinet’s FortiClient Endpoint Management Server (EMS). This critical flaw, tracked as CVE-2026-21643, presents a significant risk to organizations, with active attacks already observed in production environments.
Table Of Content
Exploitation campaigns targeting this vulnerability began approximately four days ago, demonstrating the rapid weaponization of such flaws by threat actors, even before official inclusion in prominent registries like the CISA Known Exploited Vulnerabilities catalog.
The specific software version affected by this security issue is FortiClient EMS 7.4.4, which permits unauthorized remote command execution on vulnerable systems.
Fortinet has assessed the vulnerability with a critical CVSS score of 9.1, underscoring its potential for widespread and damaging impact on enterprise networks. This high severity rating highlights the urgent need for defensive measures and rapid remediation.
FortiClient EMS Vulnerability Exploited
Recent intelligence from Defused Cyber confirms that active exploitation campaigns have successfully targeted internet-accessible FortiClient EMS servers. Analysis of Shodan data reveals nearly 1,000 instances of FortiClient EMS are currently exposed to the public internet, providing a substantial attack surface for malicious actors.
Attackers are circumventing security controls by embedding malicious SQL statements within the Site header of HTTP GET requests. This technique allows them to inject arbitrary commands into the server’s database operations.
An observed payload targeting the /api/v1/init_consts endpoint showcased commands such as Site: x'; SELECT pg_sleep(4)--. This specific attack vector was identified originating from the IP address 104.192.92.135.
The vulnerability was initially discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team and officially disclosed on February 6, 2026.
The root cause of the flaw lies in inadequate sanitization of user-supplied input within SQL commands processed by the FortiClient EMS administrative web interface. This improper handling of special characters enables unauthenticated attackers to remotely execute arbitrary code on the server.
Crucially, this vulnerability can be exploited without requiring any authentication credentials, allowing attackers to achieve complete compromise of vulnerable endpoint management servers with ease.
Successful exploitation grants threat actors the ability to exfiltrate sensitive enterprise data, deploy secondary malware payloads such as ransomware, or establish a foothold for lateral movement across the internal network. The absence of authentication requirements makes this an attractive target for initial access brokers and groups involved in ransomware operations.
What You Should Do
- Immediately upgrade all FortiClient EMS installations to version 7.4.5. This is the only definitive mitigation.
- Scan your external attack surface to identify any publicly exposed FortiClient EMS deployments running version 7.4.4.
- Monitor network traffic logs for anomalous HTTP GET requests directed at the administrative interface, specifically looking for unexpected characters or SQL commands injected into the
Siteheader. - Prioritize the detection of time-based SQL injection functions or other unusual SQL syntax in HTTP headers as an indicator of compromise.
- Ensure that FortiClient EMS versions 7.2, 8.0, and FortiEMS Cloud environments are not affected, as these are confirmed to be secure against this particular flaw.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.