CISA warns Fortinet FortiClient EMS flaw faces active exploitation

CISA has added a Fortinet FortiClient EMS vulnerability to its Known Exploited Vulnerabilities catalog, confirming that attackers are actively exploiting it in the wild. The flaw, tracked as CVE-2026-21643, is a SQL injection issue that can let an unauthenticated attacker execute unauthorized code or commands through crafted HTTP requests.

The warning matters because FortiClient EMS sits at the center of endpoint management in many organizations. A compromise there could give an attacker a direct path into security controls, policy management, and sensitive enterprise systems that rely on the platform.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

CISA added the bug to KEV on April 13, 2026, and gave U.S. federal civilian agencies until April 16, 2026 to act. The agency’s required action says defenders must apply vendor mitigations, follow BOD 22-01 guidance for cloud services where relevant, or stop using the product if mitigations are unavailable.

What Fortinet says about the bug

Fortinet’s own advisory describes CVE-2026-21643 as an improper neutralization of special elements used in an SQL command, or CWE-89. The company says the flaw affects FortiClient EMS 7.4.4, while FortiClient EMS 7.2 and 8.0 are not affected. Fortinet also says the issue may allow an unauthenticated attacker to execute unauthorized code or commands through specifically crafted HTTP requests.

That combination makes the issue especially serious. No valid account is required, the attack happens over the network, and the CNA-scored severity listed in NVD is 9.8 out of 10, which places it in the critical range.

Fortinet first published its advisory on February 6, 2026. At that time, the company did not mark the flaw as known exploited, but CISA’s KEV entry now changes the risk picture and confirms active abuse.

Why defenders should move fast

SQL injection flaws can open far more than a database. In this case, both Fortinet and NVD say crafted requests may lead to unauthorized code or command execution, which means attackers may be able to move from web-facing access into deeper administrative control.

FortiClient EMS also gives attackers a high-value target. Organizations use it to manage endpoint security deployments and policies, so an intrusion at the management layer could affect many connected systems at once. That kind of centralized access often makes these products attractive for initial access, lateral movement, and follow-on malware activity. This last point is an inference based on the product’s role and the vulnerability’s impact.

There is another important angle here. Fortinet issued a separate April 2026 advisory for CVE-2026-35616, another unauthenticated FortiClient EMS issue that the company says attackers are exploiting in the wild in versions 7.4.5 through 7.4.6. That does not change the details of CVE-2026-21643, but it does show defenders should review FortiClient EMS exposure carefully across versions, not just patch a single issue and move on.

Quick breakdown

What admins should do now

• Patch FortiClient EMS 7.4.4 to 7.4.5 or later.
• Check whether any FortiClient EMS instance is internet-exposed.
• Review HTTP logs for suspicious crafted requests aimed at EMS interfaces.
• Hunt for signs of unauthorized commands or abnormal admin activity.
• Apply CISA cloud-service guidance where relevant.
• Take the system offline if you cannot mitigate quickly.

These actions follow CISA’s required-action language and Fortinet’s vendor guidance.

FAQ