FORTINET has issued a high-priority advisory for FortiClient Enterprise Management Server (EMS) warning of a critical SQL injection vulnerability that could allow attackers to execute arbitrary code without logging in. Tracked as CVE-2026-21643, the flaw carries a CVSS score of 9.1 and could enable a remote attacker to take full control of the management server via specially crafted HTTP requests.
The vulnerability stems from improper sanitisation of user input in FortiClientEMS, enabling unauthenticated access to execute arbitrary code or commands. The issue affects FortiClientEMS 7.4, with version 7.4.4 listed as affected, while FortiClientEMS 8.0 and 7.2 are said to be not affected. Fortinet recommends upgrading FortiClientEMS 7.4.4 to 7.4.5 or above to close the security hole, as organisations running the affected version should verify their installations and apply the patch promptly.
The article, dated 9 February 2026, emphasises that this unauthenticated RCE vulnerability places endpoint management infrastructure at particular risk.