CISA has added CVE‑2026-21643 to its Known Exploited Vulnerabilities catalogue. The entry concerns Fortinet FortiClient EMS, which contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted HTTP requests. The flaw is tracked as the Fortinet SQL Injection Vulnerability.
The vulnerability is a SQL injection in the FortiClient EMS web interface. An unauthenticated remote attacker can send malicious HTTP requests to manipulate backend database queries, potentially leading to arbitrary code execution or command execution on the affected system. The Common Vulnerability Scoring System assigns a score of 9.1 (CRITICAL). Fortinet has released a patch; the advisory is available via the FortiGuard PSIRT link.
Active exploitation of this CVE has been confirmed, which is why it appears in the KEV catalogue. No public reports link this vulnerability to ransomware campaigns at this time. CISA has set a remediation deadline of 16 April 2026 for federal civilian executive branch agencies to address the issue.
CISA requires that FCEB agencies apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. All other organisations should review their exposure to Fortinet FortiClient EMS and implement the vendor’s patch or mitigations as soon as possible.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-21643 and the CISA KEV catalogue.