Critical Fortinet FortiClient EMS Vulnerability Exploited by Hackers (CVE-2026-21643)
A Critical Bug in Fortinet’s FortiClient EMS Under Active Attack
On January 10th, 2023, a severe SQL injection vulnerability (CVE-2026-21643) was identified in Fortinet’s FortiClient Endpoint Management Server (EMS). This issue enables remote, unauthenticated attackers to send malicious HTTP requests to the FortiClient EMS administrative interface, potentially executing unauthorized code or commands.
“The vulnerability, discovered internally by Gwendal Guégniaud of Fortinet’s Product Security team, affects only deployments running FortiClient EMS version 7.4.4. The flaw was patched in December 2026 with the release of version 7.4.5.” – Fortinet’s Advisory
Technical Details
- The vulnerability occurs because the HTTP header used to identify which tenant a request belongs to is passed directly into a database query without sanitization, occurring before any login check.
- An attacker who can reach the EMS web interface over HTTPS requires no credentials to exploit this vulnerability. A single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database.
- This grants attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints.
Vulnerable Versions
- FortiClient EMS version 7.4.4 is affected.
- FortiClient EMS branches 7.2 and 8.0 are not affected.
Action Required
- Organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled are advised to upgrade to 7.4.5 immediately.
- Single-site deployments are not impacted.
Potential Exposure
- Defused Cyber reports that approximately 1000 instances of FortiClient EMS are publicly exposed, although it remains unclear how many of these are running the vulnerable software version in multi-tenant mode.
- Fortinet has yet to confirm exploitation of CVE-2026-21643.
About Author
English