Critical SQL Injection in FortiClient EMS Multi-Tenant Mode
Fortinet FortiClient Endpoint Management Server (EMS) contains a critical unauthenticated SQL injection vulnerability, tracked as CVE-2026-21643 with a CVSS score of 9.1, affecting version 7.4.4 when multi-tenant mode is enabled. The flaw was introduced during a middleware refactor that changed database connection and tenant routing logic, allowing the HTTP Site header to be passed into a PostgreSQL search_path query without proper validation. Because the vulnerable middleware executes before authentication, an attacker can send a crafted HTTPS request and run arbitrary SQL commands without valid credentials.
Research cited in the coverage says the publicly exposed /api/v1/init_consts endpoint is the most practical attack path because it can reveal whether multi-tenant mode is active, lacks rate limiting, and returns PostgreSQL error messages that support efficient error-based data extraction. Successful exploitation can lead to full compromise of the EMS management database and exposure of sensitive information. Commentary in the related podcast segment reinforces that the bug was introduced by the 7.4.4 refactoring and fixed in 7.4.5, highlighting how code refactoring can create serious security regressions when input handling and validation are not preserved.
Timeline
Apr 13, 2026
CISA adds CVE-2026-21643 to KEV and orders remediation
CISA added Fortinet FortiClient EMS flaw CVE-2026-21643 to its Known Exploited Vulnerabilities catalog on 2026-04-13, formally confirming active exploitation. The agency ordered U.S. federal civilian agencies to remediate by 2026-04-16 and urged other organizations to patch immediately.
Mar 30, 2026
Defused reports active exploitation of CVE-2026-21643
Threat intelligence firm Defused reported that attackers are actively exploiting CVE-2026-21643 against unpatched FortiClient EMS systems. The report said internet exposure was substantial, with roughly 1,000 to more than 2,000 exposed instances observed via Shodan and Shadowserver, while Fortinet's advisory had not yet been updated to note in-the-wild abuse.
Mar 24, 2026
Defused says CVE-2026-21643 exploitation has been observed since March 24
Researchers said active intrusions exploiting FortiClient EMS flaw CVE-2026-21643 have been observed since 2026-03-24. The activity targeted vulnerable FortiClient EMS 7.4.4 systems via SQL injection in the HTTP Site header, indicating exploitation began days before public reporting on the attacks.
Mar 18, 2026
CVE-2026-21643 details and exploitation path are publicly disclosed
Public reporting identified the bug as CVE-2026-21643, rated CVSS 9.1, and described how unauthenticated attackers could exploit the HTTP Site header against the publicly accessible /api/v1/init_consts endpoint to achieve arbitrary SQL execution. Reporting also noted risks including database compromise and possible remote code execution due to PostgreSQL superuser privileges, along with mitigations such as upgrading, disabling multi-tenant Sites, and restricting EMS web access.
Mar 17, 2026
Fortinet fixes the FortiClient EMS flaw in version 7.4.5
Fortinet patched the SQL injection vulnerability in FortiClient EMS in release 7.4.5, the version immediately following the affected 7.4.4 release. The fix removed the vulnerable behavior introduced in the prior version.
Mar 17, 2026
Fortinet introduces SQL injection flaw in FortiClient EMS 7.4.4
A format-string interpolation issue was introduced during a refactoring effort in FortiClient Endpoint Management Server version 7.4.4. The defect created a critical SQL injection condition affecting deployments with multi-tenant mode enabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
3 more from sources like bleeping computer, cyber security news and scworld
Related Stories
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
1 months ago
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
1 weeks ago
Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in **FortiClient EMS** that was being actively exploited in the wild. The vulnerability, tracked as `CVE-2026-35616` and documented in advisory `FG-IR-26-099`, affects FortiClient EMS versions **7.4.5** and **7.4.6** and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw **9.1 CVSSv3** and mapped it to **CWE-284 Improper Access Control**, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations. The issue was reported by **Simo Kohonen** of Defused and independent researcher **Nguyen Duc Anh**, with Defused identifying exploitation activity before public disclosure. Fortinet said **7.2.x** is not affected, released hotfixes, and indicated that **7.4.7** will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
2 weeks ago