RSS
← All articles
vulnerability
CVE-2026-21643
2026-03-30

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

fortinetforticlient-emssql-injectionrceactively-exploited
Check
Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected
FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix
Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.
Related Articles
vulnerabilityNGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)
threatBackend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public
vulnerabilityFortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)