Emergency Security Bulletin: SQL Injection Vulnerability in Fortinet FortiClientEMS

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png

TABLE OF CONTENTS

NEW BLOGS

Vulnerability Bulletins

Emergency Security Bulletin: SQL Injection Vulnerability in Fortinet...

Vulnerability Bulletins

Emergency Security Bulletin: Supply Chain Compromise in Trivy and...

Vulnerability Bulletins

Emergency Security Bulletin: Out-of-Bounds Read Vulnerability in...

Vulnerability Bulletins

Emergency Security Bulletin: Remote Code Execution Vulnerability in...

By: RedLegg's Cyber Threat Intelligence Team

03/30/26 05:50 PM

About:

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClientEMS caused by improper neutralization of special elements used in SQL commands within the web-based management interface.

An unauthenticated attacker can exploit this flaw by sending specially crafted HTTP requests to the FortiClientEMS interface. Successful exploitation may allow execution of unauthorized commands or code on the affected system, potentially leading to full compromise of endpoint management infrastructure.

This vulnerability is confirmed to be actively exploited in the wild, increasing risk to unpatched deployments.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

SQL Injection Vulnerability in Fortinet FortiClientEMS

CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-21643
PoC or Exploitation:
Exploitation observed in the wild

Update/ Patch:

Fortinet has released fixes for this vulnerability.

Affected version:

FortiClientEMS 7.4.4

Fixed versions:

FortiClientEMS 7.4.5 or later

FortiClientEMS 8.0.0 and later (depending on release path)

Fortinet advisory and patch guidance:

https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Description:

CVE-2026-21643 is an SQL injection vulnerability in Fortinet FortiClientEMS caused by improper neutralization of special elements used in SQL commands within the web-based management interface.

An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to the FortiClientEMS interface. Successful exploitation may allow execution of unauthorized commands or code on the affected system.

Mitigation Recommendation:

Immediately upgrade FortiClientEMS to version 7.4.5 or later.

Prioritize patching internet-facing and externally accessible FortiClientEMS deployments.

Restrict access to the FortiClientEMS web interface to trusted management networks only.

Monitor web server and application logs for suspicious HTTP requests or anomalous administrative activity.