Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in FortiClient EMS, Fortinet’s endpoint management platform, allows unauthenticated remote code execution on affected servers. The issue impacts FortiClient EMS 7.4.5 and 7.4.6, exposing organizations that use the product to potential full compromise of the management system.
Fortinet has reported active exploitation in the wild, and Finland’s National Cyber Security Centre has urged organizations to apply the available hotfix immediately. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Timeline
Apr 4, 2026
Fortinet releases hotfix for vulnerable FortiClient EMS versions
A hotfix was released for the FortiClient EMS vulnerability affecting versions 7.4.5 and 7.4.6. Authorities recommended organizations install the fix immediately due to the risk of compromise.
Apr 4, 2026
FortiClient EMS vulnerability is actively exploited in the wild
A vulnerability affecting FortiClient EMS versions 7.4.5 and 7.4.6 was reported as allowing unauthenticated arbitrary code execution on affected systems. The vendor stated it had observed active exploitation of the flaw in the wild.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in **FortiClient EMS** that was being actively exploited in the wild. The vulnerability, tracked as `CVE-2026-35616` and documented in advisory `FG-IR-26-099`, affects FortiClient EMS versions **7.4.5** and **7.4.6** and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw **9.1 CVSSv3** and mapped it to **CWE-284 Improper Access Control**, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations. The issue was reported by **Simo Kohonen** of Defused and independent researcher **Nguyen Duc Anh**, with Defused identifying exploitation activity before public disclosure. Fortinet said **7.2.x** is not affected, released hotfixes, and indicated that **7.4.7** will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
2 weeks ago
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
1 months ago
Critical SQL Injection in FortiClient EMS Multi-Tenant Mode
**Fortinet FortiClient Endpoint Management Server (EMS)** contains a critical unauthenticated SQL injection vulnerability, tracked as **CVE-2026-21643** with a **CVSS score of 9.1**, affecting **version 7.4.4** when **multi-tenant mode** is enabled. The flaw was introduced during a middleware refactor that changed database connection and tenant routing logic, allowing the HTTP `Site` header to be passed into a PostgreSQL `search_path` query without proper validation. Because the vulnerable middleware executes before authentication, an attacker can send a crafted HTTPS request and run arbitrary SQL commands without valid credentials. Research cited in the coverage says the publicly exposed `/api/v1/init_consts` endpoint is the most practical attack path because it can reveal whether multi-tenant mode is active, lacks rate limiting, and returns PostgreSQL error messages that support efficient error-based data extraction. Successful exploitation can lead to **full compromise of the EMS management database** and exposure of sensitive information. Commentary in the related podcast segment reinforces that the bug was introduced by the **7.4.4 refactoring** and fixed in **7.4.5**, highlighting how code refactoring can create serious security regressions when input handling and validation are not preserved.
2 weeks ago