A critical SQL injection vulnerability, CVE-2026-21643, has been identified in FortiClient Endpoint Management Server (EMS), a centralized management platform for FortiClient endpoint agents across multiple environments.
The vulnerability is currently under active exploitation in the wild, even though it is not yet listed in major exploited vulnerability catalogs. Early attack activity indicates that threat actors are already targeting exposed systems.
This issue poses a serious risk to organizations that have their FortiClient EMS administrative interface accessible over the internet, as it allows remote compromise without authentication.
Vulnerability Details:
- CVE-ID: CVE-2026-21643
- CVSS Score: 9.8 (Critical)
- EPSS Score: 0.05%
- Vulnerability: SQL Injection vulnerability
- Affected Product: Fortinet FortiClientEMS
Root Cause
CVE-2026-21643 is caused by improper neutralization of special elements in SQL commands, resulting in a SQL injection vulnerability.
The flaw was introduced in FortiClient EMS during changes to the middleware and database connection layer to support enhanced multi-tenant functionality.
Specifically, an HTTP header used to identify tenant context is passed directly into a backend SQL query without proper sanitization, and this occurs before authentication is enforced.
Impact
This vulnerability allows remote, unauthenticated attackers to:
- Execute arbitrary SQL queries on the backend PostgreSQL database
- Access highly sensitive information, including:
- Administrative credentials
- Endpoint inventory data
- Security policies
- Certificates for managed endpoints
- Potentially execute unauthorized commands or code on the server
Due to the absence of authentication requirements and the sensitivity of exposed data, the impact is considered critical.
Infection Method / Exploitation Technique
The exploitation process is simple and highly effective:
- The attacker connects to the FortiClient EMS web interface over HTTPS
- A specially crafted HTTP request is sent to the server
- The request contains a malicious tenant-identification HTTP header
- This header is directly incorporated into a SQL query without validation
- The injected SQL is executed by the database
Affected Products
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
Mitigation & Recommendations
To reduce the risk of exploitation of CVE-2026-21643 in Fortinet FortiClient EMS, organizations should take immediate action:
- Update FortiClient EMS from version 7.4.4 to 7.4.5 or later, where the vulnerability has been fixed.
- Limit exposure of the EMS administrative interface by:
- Removing public internet access
- Allowing access only via VPN or trusted internal networks
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.