FORTINET has released security updates to address a critical flaw in FortiClientEMS that could allow unauthenticated code execution. The vulnerability is tracked as CVE-2026-21643 and carries a CVSS score of 9.1/10. According to Fortinet, it involves improper neutralisation of SQL elements in FortiClientEMS that could enable an unauthenticated attacker to execute arbitrary code via specially crafted HTTP requests.
The affected FortiClientEMS versions are 7.4.4 (upgradable to 7.4.5 or above) and 8.0 (not affected by this issue), while FortiClientEMS 7.2 is listed as not affected. Gwendal Guégniaud of the Fortinet Product Security team is credited with discovering and reporting the flaw. The development comes after Fortinet previously addressed another critical FortiOS-related issue, CVE-2026-24858, which Fortinet notes has been exploited in the wild to compromise devices and alter configurations.