Summary :

A critical vulnerability (CVE-2026-21643, CVSS 9.1) has been identified in Fortinet FortiClientEMS, enabling unauthenticated remote code execution via specially crafted HTTP requests that exploit an SQL injection flaw. The vulnerability affects FortiClientEMS version 7.4.4 and exposes organizations to full system compromise if internet-facing EMS instances are deployed. Successful exploitation may grant attackers persistent access, administrative control over endpoint management functions, and the ability to pivot laterally across enterprise environments.
Although Fortinet has not confirmed active exploitation of this specific vulnerability, its disclosure occurs amid ongoing in-the-wild exploitation of other high-severity Fortinet flaws, heightening the overall threat landscape. Organizations operating FortiClientEMS 7.4.4 should immediately upgrade to version 7.4.5 or later and assess exposure of management interfaces to mitigate the risk of unauthorized access and downstream compromise.

‍

Technical Description :

CVE-2026-21643 stems from improper neutralization of special elements in SQL commands (CWE-89) within FortiClientEMS. The vulnerability allows an unauthenticated remote attacker to send crafted HTTP requests to vulnerable EMS endpoints, resulting in malicious SQL statements being executed by the backend database.
Successful exploitation enables execution of arbitrary system-level instructions within the FortiClientEMS application context, effectively resulting in remote code execution without authentication.
An attacker leveraging this vulnerability may fully compromise the EMS server, manipulate endpoint configuration data, deploy malicious policy updates, extract stored information, or use the compromised system as a pivot point for lateral movement across the enterprise network.
Fortinet has confirmed that version 7.4.4 is affected, while versions 7.2 and 8.0 are not vulnerable. The issue has been remediated in version 7.4.5 and later. Organizations should treat any internet-exposed EMS instance running 7.4.4 as a high-risk asset and prioritize immediate patch deployment.

‍

‍

Given FortiClientEMS functions as a centralized endpoint management platform, compromise of this component significantly elevates the risk of broader network exposure, unauthorized policy manipulation, and systemic security degradation.

‍

Exploitation Demonstration:

• An attacker identifies an internet-exposed FortiClientEMS instance running version 7.4.4.
• Crafted HTTP requests are submitted to vulnerable EMS endpoints to inject malicious SQL payloads.
• The injected SQL statements are executed by the backend database, enabling arbitrary command or code execution.
• The attacker gains control within the EMS application context and accesses endpoint management functions.
• The compromised EMS server is leveraged to establish persistence, deploy malicious configurations, or pivot laterally across the enterprise network.

‍

Ease of Exploitation:

Exploitation of CVE-2026-21643 is considered low complexity. The vulnerability does not require authentication, prior access, or user interaction. An attacker only requires network connectivity to a vulnerable FortiClientEMS instance and the ability to craft HTTP requests that trigger the SQL injection condition.
The absence of authentication barriers and additional protective controls significantly lowers the technical effort required, making exposed systems attractive targets for opportunistic threat actors and automated scanning campaigns.

‍

Conclusion:

CVE-2026-21643 represents a high-impact security vulnerability that exposes organizations to unauthenticated remote code execution and full compromise of FortiClientEMS management infrastructure.
Given FortiClientEMS’s central role in endpoint policy enforcement and visibility, successful exploitation can result in widespread operational disruption, unauthorized policy deployment, and lateral movement across enterprise systems.
The vulnerability’s severity, combined with its low exploitation barrier and the broader context of recent Fortinet vulnerability exploitation, underscores the urgency of patching affected systems and restricting exposure of EMS management interfaces.

‍

Impact :

Successful exploitation provides attackers with complete control over the FortiClientEMS server without authentication. This may result in unauthorized modification of endpoint policies, malicious configuration deployment to managed endpoints, extraction of sensitive management data, and credential compromise.
Because FortiClientEMS operates as a centralized administrative platform, compromise at this level may cascade across the enterprise environment, enabling persistence, lateral movement, and large-scale network compromise, ultimately jeopardizing system integrity, confidentiality, and operational continuity.

‍

IOC and Context Details:

‍

‍

Recommended Actions:

• Immediately upgrade FortiClientEMS instances running version 7.4.4 to version 7.4.5 or later.
• Restrict internet exposure of EMS management interfaces using firewall rules or VPN-only access.
• Implement network segmentation to isolate EMS servers from critical systems and sensitive assets.
  
• Monitor EMS logs for abnormal HTTP request patterns, unexpected SQL activity, or anomalous process execution.
• Enforce multi-factor authentication and strong credential policies for all administrative access to Fortinet products.
  
• Conduct configuration audits to detect unauthorized changes or newly created privileged accounts.
  
• Maintain continuous vulnerability management across all Fortinet products and supporting infrastructure.
• Ensure incident response plans include rapid containment and forensic procedures for compromised EMS servers.Apply continuous vulnerability scanning and patch management to all Fortinet products and dependent systems.
• Maintain an incident response plan that includes rapid containment and recovery procedures for compromised EMS servers.

‍

Reference:

https://fortiguard.fortinet.com/psirt/FG-IR-25-151