An unauthenticated SQL injection flaw in Fortinet FortiClient EMS 7.4.4 lets remote attackers execute unauthorized code or commands via crafted HTTP requests, and CISA has confirmed active exploitation in the wild.
What Is It
CVE-2026-21643 is an improper neutralization of special elements in an SQL command (CWE-89) affecting Fortinet FortiClient EMS 7.4.4. A specifically crafted HTTP request can inject SQL into the application, enabling an unauthenticated remote attacker to execute unauthorized code or commands against the management server.
The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, and full impact to confidentiality, integrity, and availability.
Why It Matters
FortiClient EMS is the central management console for FortiClient endpoint deployments. Compromise of the EMS server hands an attacker a privileged foothold over the endpoint fleet it manages, with no authentication required to reach it.
CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-04-13, confirming exploitation in the wild. A public proof-of-concept exploit is also referenced from the NVD record (GitHub: 0xBlackash/CVE-2026-21643), lowering the bar for opportunistic attacks. Known ransomware campaign use is currently listed as "Unknown."
What's Vulnerable
- Fortinet FortiClient EMS 7.4.4 (CPE:
cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:*)
Any EMS instance reachable over HTTP/HTTPS, particularly internet-exposed management consoles, should be treated as at immediate risk.
Patch Status
Fortinet published advisory FG-IR-25-1142 on its PSIRT portal covering this issue; refer to the vendor advisory for fixed versions and mitigation guidance.
CISA's required action (due 2026-04-16) under BOD 22-01: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.