FORTINET warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in, tracked as CVE-2026-21643 with a CVSS score of 9.1. According to Fortinet, the flaw involves improper neutralization of special elements used in an SQL Command (SQL Injection), enabling an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
A successful exploit could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. Affected FortiClientEMS versions are FortiClientEMS 7.4.4 (update to 7.4.5 or above is advised) and FortiClientEMS 7.2 and FortiClientEMS 8.0 are listed as not affected, with Fortinet not disclosing whether the flaw is being actively exploited in the wild. The article, dated 9 February 2026, notes that Fortinet released an urgent advisory detailing these particulars.