Exploitation of Critical Fortinet FortiClient EMS Flaw Begins

The SQL injection vulnerability allows unauthenticated attackers to execute arbitrary code remotely, via crafted HTTP requests.

Threat actors have started exploiting a critical-severity vulnerability in Fortinet FortiClient EMS, threat intelligence firm Defused Cyber warns.

A centralized management server, FortiClient EMS allows organizations to deploy, configure, and monitor FortiClient endpoints across their environments. It also supports multi-tenant deployments, enabling the management of multiple customer sites from a single instance.

Tracked as CVE-2026-21643, the now-exploited bug is described as an SQL injection issue that can be exploited remotely, without authentication, via specially crafted HTTP requests.

Successful exploitation of the flaw, Fortinet notes in its advisory, could lead to arbitrary code or command execution.

The security defect impacts FortiClient EMS version 7.4.4 and was patched in early February in version 7.4.5. According to Fortinet, the vulnerability was discovered internally.

One month after public disclosure, cybersecurity firm Bishop Fox published ...