THREAT actors have begun exploiting a critical SQL injection flaw in Fortinet FortiClient EMS that permits remote code execution without authentication, according to multiple security researchers. The vulnerability, identified as CVE-2026-21643, carries a CVSS score of 9.1 and affects FortiClientEMS version 7.4.4. Fortinet released a patch to version 7.4.5 in early February, but many devices remain unpatched and exposed online. SecurityWeek first reported the active exploitation over the weekend.
The flaw is a pre‑authentication SQL injection that can be triggered by sending a specially crafted HTTP request containing malicious payloads in the Site header, as detailed in Fortinet’s advisory. Successful exploitation lets an attacker execute arbitrary commands on the underlying server, potentially yielding full control of the EMS appliance. Versions 7.4.4 are vulnerable, while FortiClientEMS 8.0 and the older 7.2 branch are not affected according to the vendor. Fortinet advisory explains the root cause as improper neutralisation of SQL elements.
Researchers from Bishop Fox and Defused Cyber have shown the injection can be used to drop a web shell or run reverse shell commands, giving attackers an initial foothold. The exploit needs no credentials and works against any EMS instance exposing its management interface to the internet. Shodan data referenced by Defused indicates about one thousand devices are reachable, while Shadowserver reports roughly two thousand, most situated in the United States and Europe. Security Affairs said the first exploitation attempts were seen four days prior to the public alert.
Fortinet’s own telemetry confirms that exploitation has been observed in the wild, with Defused Cyber stating that attackers have been active for at least four days and that the vulnerability is being used in the wild to install malware or create persistent access. No specific threat actor has been attributed to the activity, but the broad exposure of unpatched consoles raises the risk of opportunistic campaigns. Organisations that rely on FortiClient EMS for endpoint management should assume compromise if they are running version 7.4.4 and have not applied the update. The Hacker News highlighted that the flaw was privately reported by Fortinet product security engineer Gwendal Guégniaud.
Given the prevalence of exposed management interfaces, defenders should immediately verify the version of FortiClient EMS in use and apply the 7.4.5 update or later where available. If patching cannot be done instantly, administrators are advised to restrict access to the EMS web console to trusted IP ranges or place it behind a virtual private network. Enabling detailed logging of HTTP requests and monitoring for anomalous SQL syntax in the Site header can help detect exploitation attempts early. Arctic Wolf also recommends reviewing recent admin account creations and unexpected scheduled tasks as possible indicators of compromise.
Organisations should also consider disabling the EMS console from direct internet exposure entirely if it is not required for remote management, as this eliminates the attack vector. Where remote administration is necessary, deploying a web application firewall with rules that block common SQL injection patterns can provide an additional layer of defence. Regularly reviewing Fortinet’s security advisories and subscribing to their security bulletins ensures timely awareness of future patches. Red Hat CVE page offers a concise summary of the vulnerability and references to the official fix.