Critical FortiClient EMS flaw is under active attack, and exposed servers need patching now

A critical Fortinet FortiClient EMS vulnerability is now being exploited in the wild. Fortinet’s own advisory says CVE-2026-21643 is an unauthenticated SQL injection flaw in the FortiClient EMS administrative interface, and the company rates it Critical with a CVSS score of 9.1.

The bug affects FortiClient EMS 7.4.4 and allows an unauthenticated attacker to execute unauthorized code or commands through specially crafted HTTP requests. Fortinet says FortiClient EMS 7.2, 8.0, and FortiEMS Cloud are not affected.

Recent exploitation reports suggest attackers have already moved beyond proof of concept. Multiple security outlets say active exploitation began in late March 2026, although CISA’s public KEV catalog did not show CVE-2026-21643 in the visible catalog results I found on March 30, 2026.

What CVE-2026-21643 does

Fortinet describes the issue as improper neutralization of special elements used in an SQL command, which is the classic definition of SQL injection. In this case, the vulnerable surface sits in the FortiClient EMS web interface, which means exposed management servers face the highest risk.

The impact goes beyond database access. Fortinet says a remote, unauthenticated attacker can execute unauthorized code or commands, which places this bug in remote code execution territory for practical defense purposes. NVD also describes the flaw as network-reachable, requiring no privileges and no user interaction.

Third-party reporting published today says attackers have abused the Site HTTP header in requests to /api/v1/init_consts to smuggle malicious SQL into internet-facing FortiClient EMS servers. I have not found Fortinet publicly confirming that exact header and endpoint pattern, so that detail should be treated as exploitation reporting rather than vendor-confirmed behavior.

Vulnerability snapshot

Why this Fortinet bug matters

FortiClient EMS often sits in a sensitive management role inside enterprise environments. A compromise here can give attackers a way to tamper with endpoint management infrastructure, steal sensitive data, or pivot deeper into the internal network. That is why Fortinet and multiple security vendors pushed urgent upgrade guidance in February, long before exploitation reports surfaced this week.

The risk also increases when the EMS interface is reachable from the internet. Reporting today says roughly 1,000 FortiClient EMS instances appear publicly exposed based on Shodan-related estimates, though that number comes from third-party reporting rather than Fortinet.

This pattern should feel familiar to defenders. A critical Fortinet management-plane bug, an exposed administrative interface, and rapid attacker uptake often create a short window between disclosure and exploitation. That makes patch speed more important than perfect attribution or full exploit-chain visibility.

What Fortinet says to do

Fortinet’s mitigation is straightforward. Upgrade FortiClient EMS 7.4.4 to 7.4.5 or later. The PSIRT advisory lists no workaround that fully removes the risk on the affected branch other than moving to the fixed release.

Release materials for FortiClient EMS 7.4.5 are already available, and the fixed build has been public since March 2026. That means organizations running 7.4.4 have had a patch available for weeks and should treat any delay as security debt.

If you manage FortiClient EMS, you should also review web logs for unusual GET requests to the admin interface and suspicious header values while patching. That detection advice comes from third-party exploitation analysis, not from Fortinet’s advisory, but it is a sensible check given the reported attack pattern.

Immediate actions for admins

• Upgrade FortiClient EMS 7.4.4 to 7.4.5 or later
• Check whether the EMS admin interface is internet-facing
• Review recent requests to administrative API paths
• Hunt for suspicious SQL-like input in HTTP headers
• Treat unpatched exposed servers as potentially compromised

FAQ