THREAT actors have started exploiting a critical-severity vulnerability in Fortinet FortiClient EMS, tracked as CVE-2026-21643, which is described as a pre-authentication SQL injection that can be exploited remotely via crafted HTTP requests. FortiClient EMS version 7.4.4 is affected, and a patch to 7.4.5 was released in early February, with Fortinet noting in its advisory that successful exploitation could lead to arbitrary code or command execution.
One month after public disclosure, Bishop Fox published technical information on the bug, warning that it was practical to exploit. Over the weekend, Defused Cyber warned that CVE-2026-21643 had been exploited for at least four days and that roughly 1,000 FortiClient EMS deployments are exposed to the internet, with The Shadowserver Foundation tracking over 2,000 internet-accessible instances as of 30 March.
Our analysis shows attackers can abuse the publicly accessible /api/v1/init_consts endpoint to trigger the SQL injection before authentication, rapidly extracting data from multi-tenant deployments, a claim supported by security researchers. According to Fortinet, the vulnerability was discovered internally.