Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for FortiClient Enterprise Management Server (EMS) warning that CVE-2026-21643 enables unauthenticated remote code execution via an SQL injection flaw (CWE-89) in the product’s GUI/web interface. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise.
The issue is reported as affecting the 7.4 line, with FortiClientEMS 7.4.4 explicitly called out as vulnerable; Fortinet’s recommended remediation is to upgrade to 7.4.5 or later. Fortinet also stated that the 8.0 and 7.2 branches are not affected, and an updated note indicated FortiEMS Cloud/SaaS instances are not impacted, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Timeline
Feb 11, 2026
NCIIPC India flags CVE-2026-21643 as critical
By February 11, 2026, India's NCIIPC had flagged CVE-2026-21643 as a critical issue for OEM checks, reflecting broader government-sector awareness of the FortiClientEMS vulnerability. Reporting also reiterated that fixes had been available since February 6.
Feb 9, 2026
Public reporting notes no evidence of CVE-2026-21643 exploitation
As public coverage of the advisory spread, reports highlighted that Fortinet had not identified evidence of in-the-wild exploitation of CVE-2026-21643 at the time of publication. The company nevertheless urged rapid patching and review of logs for suspicious requests to the EMS GUI.
Feb 9, 2026
Canadian Centre for Cyber Security republishes Fortinet advisory
The Canadian Centre for Cyber Security issued alert AV26-096 referencing Fortinet's February 6 advisory for CVE-2026-21643, identifying FortiClientEMS 7.4.4 as affected and urging administrators to review the vendor guidance and apply updates. This amplified official notice of the vulnerability to Canadian defenders.
Feb 6, 2026
Fortinet clarifies FortiEMS Cloud is not affected
A February 6, 2026 advisory timeline update clarified that FortiEMS Cloud is unaffected by CVE-2026-21643. This narrowed the impact to affected on-premises FortiClientEMS deployments, specifically version 7.4.4.
Feb 6, 2026
Fortinet publishes advisory and patches CVE-2026-21643
On February 6, 2026, Fortinet published a high-priority security advisory for CVE-2026-21643, a critical SQL injection flaw in FortiClientEMS 7.4.4 that can enable unauthenticated remote code or command execution via crafted HTTP requests. Fortinet released a fix, advised customers to upgrade to version 7.4.5 or later, and stated that the 7.2 and 8.0 branches are not affected.
Jan 2, 2026
Fortinet internally discovers FortiClientEMS SQL injection flaw
Fortinet's Product Security team internally identified a critical SQL injection vulnerability in the FortiClientEMS administrative interface, later assigned CVE-2026-21643 and tracked by Fortinet as FG-IR-25-1142. Reporting attributes the discovery to Gwendal Guégniaud of the Fortinet Product Security team.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like security online info
Related Stories
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
1 weeks ago
Critical SQL Injection in FortiClient EMS Multi-Tenant Mode
**Fortinet FortiClient Endpoint Management Server (EMS)** contains a critical unauthenticated SQL injection vulnerability, tracked as **CVE-2026-21643** with a **CVSS score of 9.1**, affecting **version 7.4.4** when **multi-tenant mode** is enabled. The flaw was introduced during a middleware refactor that changed database connection and tenant routing logic, allowing the HTTP `Site` header to be passed into a PostgreSQL `search_path` query without proper validation. Because the vulnerable middleware executes before authentication, an attacker can send a crafted HTTPS request and run arbitrary SQL commands without valid credentials. Research cited in the coverage says the publicly exposed `/api/v1/init_consts` endpoint is the most practical attack path because it can reveal whether multi-tenant mode is active, lacks rate limiting, and returns PostgreSQL error messages that support efficient error-based data extraction. Successful exploitation can lead to **full compromise of the EMS management database** and exposure of sensitive information. Commentary in the related podcast segment reinforces that the bug was introduced by the **7.4.4 refactoring** and fixed in **7.4.5**, highlighting how code refactoring can create serious security regressions when input handling and validation are not preserved.
2 weeks ago
Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in **FortiClient EMS** that was being actively exploited in the wild. The vulnerability, tracked as `CVE-2026-35616` and documented in advisory `FG-IR-26-099`, affects FortiClient EMS versions **7.4.5** and **7.4.6** and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw **9.1 CVSSv3** and mapped it to **CWE-284 Improper Access Control**, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations. The issue was reported by **Simo Kohonen** of Defused and independent researcher **Nguyen Duc Anh**, with Defused identifying exploitation activity before public disclosure. Fortinet said **7.2.x** is not affected, released hotfixes, and indicated that **7.4.7** will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
2 weeks ago