A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643, allows remote code execution via SQL injection and has a CVSS score of 9.1. Fortinet issued an urgent advisory in February to address the flaw, described as an improper neutralisation of elements used in an SQL Command, enabling an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
Defused wrote that first exploitation had occurred four days earlier, and that attackers can smuggle SQL statements through the Site header in HTTP requests, with nearly 1,000 FortiClient EMS instances publicly exposed according to Shodan. Shadowserver figures show approximately 2,000 FortiClient EMS instances online, the majority in the U.S. and Europe.
Affected versions include FortiClientEMS 8.0 (not affected), 7.4 (7.4.4; upgrade to 7.4.5 or above), and 7.2 (not affected), with Fortinet notes on ongoing assessment of exploitation in the wild. According to Defused, the vulnerability was not yet exploited on KEV lists at the time of reporting, but real-world attacks have been observed.