MDR
Solutions
Partners
About
Resources
Affected Environment
Fortinet FortiClient EMS 7.4 up to 7.4.4 is affected by CVE-2026-21643. Internet-exposed EMS instances, estimated in the low thousands, are at risk.
Threat Overview
An SQL injection flaw in FortiClient EMS is now under active exploitation. Unauthenticated attackers can run arbitrary code or commands on vulnerable hosts.
Exposure Timeline
Exploitation activity has been observed for approximately four days. The vulnerability is not yet listed in CISA KEV but is already being abused.
Attack Surface
Public-facing FortiClient EMS servers reachable over HTTP are exposed. Over 2,000 online EMS instances increase the chance of targeted scanning.
Technical Root Cause
Improper neutralization of SQL elements (CWE-89) in EMS request handling. Specifically crafted HTTP requests bypass input validation and reach SQL.
Exploitation Pathway
Attackers send malicious SQL via crafted HTTP requests to EMS. Recent cases show payloads smuggled through the ‘Site’ header field.
Operational Impact
Compromise may give attackers remote execution on EMS infrastructure. This can enable lateral movement, policy tampering, or broader access.
Strategic Impact
Uncontrolled EMS compromise can weaken endpoint security governance. Large public exposure raises systemic risk for governments and businesses.
Required Mitigation
Upgrade FortiClient EMS from 7.4–7.4.4 to 7.4.5 or later after testing. Implement structured vulnerability, patch, and privilege management.
Incident Response Guidance
Scan externally exposed assets to identify vulnerable EMS instances. If compromise is suspected, isolate EMS, investigate, and remediate quickly.
References
Use vendor and community advisories to track exploit details and fixes. See BleepingComputer, GitHub PoC, and Fortinet PSIRT FG-IR-25-1142.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)