CVE-2026-21643: FortiClient EMS Critical SQL Injection — Actively Exploited, No Credentials Required

Ali Dak — Fri, 03 Apr 2026 10:18:39 +0000

Originally published at vulntracker.io

A critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) is now being actively exploited in real-world attacks. The flaw, tracked as CVE-2026-21643, allows a remote, unauthenticated attacker to execute arbitrary SQL commands against the backend PostgreSQL database — with a single HTTP request.

No credentials needed. No user interaction required. Just one crafted HTTP header.

How the Vulnerability Works

FortiClient EMS v7.4.4 introduced a refactored middleware stack for its multi-tenant deployment feature. The HTTP header used to identify which tenant a request belongs to gets passed directly into a database query — without any sanitization — and before any authentication check.

An attacker who can reach the EMS web interface over HTTPS can exploit this in a single request. The result: full access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints.

One request to the management server, and the attacker sees everything.

The Exploitation Timeline

February 6 — Fortinet discloses CVE-2026-21643 and releases FortiClient EMS 7.4.5
Early March — Bishop Fox publishes a technical deep dive
March 25 — First exploitation observed in the wild (Defused Cyber)
March 29 — Active exploitation publicly reported
March 30 — Multiple security outlets confirm the threat

At the time of writing, CISA has not yet added it to KEV, but the attacks are already happening.

Why FortiClient EMS Is a High-Value Target

FortiClient EMS controls endpoint agents across an organization's entire device fleet — Windows, macOS, Linux, iOS, Android. Compromising EMS means:

Admin credential theft — full management console access
Endpoint inventory exposure — attackers learn every device in the network
Security policy manipulation — disable protections, create backdoors
Certificate access — endpoint authentication certificates
Lateral movement — from management server to every endpoint

This follows a pattern in 2026: the security management tool becomes the attack vector.

Who's Affected

Only FortiClient EMS version 7.4.4 in multi-tenant mode. Versions 7.2 and 8.0 are not affected. Single-site deployments are not affected.

Shodan data shows approximately 1,000 FortiClient EMS instances publicly exposed. The Shadowserver Foundation tracks over 2,000, with 1,400+ IPs in the US and Europe.

What To Do

Check your version. If running 7.4.4, upgrade to 7.4.5 immediately
Restrict access to the EMS web interface — it should not be internet-exposed
Review logs for anomalous tenant-identification headers
If exploitation occurred: rotate admin credentials, audit endpoint certificates, review security policies

CVE-2026-21643 · CVSS 9.3 · Affected: FortiClient EMS 7.4.4 (multi-tenant) · Fix: Upgrade to 7.4.5

Want to track vulnerabilities like this automatically? VulnTracker monitors your tech stack and alerts you the moment a new CVE affects your products — via email, Telegram, or Slack. Free to start.