Critical Fortinet FortiClient EMS Flaw CVE-2026-21643 Now Under Active Exploitation
A critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-21643, has moved from theoretical threat to active exploitation. Threat intelligence firm Defused confirmed attackers began exploiting the flaw around March 26, targeting organizations still running the vulnerable FortiClient EMS version 7.4.4.
The vulnerability carries a CVSS score of 9.8 (Critical) and allows unauthenticated remote attackers to execute arbitrary code through specially crafted HTTP requests. Specifically, attackers are smuggling SQL statements via the Site header in HTTP requests to the FortiClientEMS web GUI. Successful exploitation grants access to administrative credentials, endpoint inventory data, security policies, and certificates for all managed endpoints — essentially a full compromise of the endpoint management infrastructure.
Fortinet released a patch (version 7.4.5) back on February 6, but the gap between patch availability and active exploitation highlights a persistent problem: organizations are not patching fast enough. Only version 7.4.4 is affected; versions 7.2 and 8.0 are not vulnerable. Notably, Fortinet had not updated its own security advisory to reflect the in-the-wild exploitation as of today.
Sources
- BleepingComputer — Critical Fortinet FortiClient EMS flaw now exploited in attacks
- Help Net Security — FortiClient EMS CVE-2026-21643 exploitation reported
- Arctic Wolf — CVE-2026-21643 Advisory
Commentary
This is yet another Fortinet appliance vulnerability making its way into active exploitation — and the pattern is depressingly familiar. Critical patch released, weeks pass, attackers pounce on the stragglers. A CVSS 9.8 SQL injection in an endpoint management server is about as bad as it gets: it is the system that manages all your endpoints, and a compromise here means the attacker effectively owns your fleet.
The fact that Fortinet has not even updated its advisory to reflect active exploitation is concerning. Organizations running FortiClient EMS 7.4.4 need to treat this as a drop-everything priority. If you cannot patch immediately, restrict network access to the EMS web interface and monitor for anomalous HTTP requests targeting the Site header.
