Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)

A critical SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server is under active exploitation, according to threat intelligence firm Defused. The flaw, identified as CVE-2026-21643, was discovered internally Defused stated that exploitation was first observed four days ago through its honeypot data, even though the vulnerability remains unmarked on CISA and other known exploited vulnerabilities lists. Fortinet has not yet confirmed the exploitation reports. The company fixed the issue in version 7.4.5, released in December 2026. Branches 7.2 and 8.0 are not affected. Bishop Fox researchers published a technical analysis of the vulnerability in early March 2026. They noted that a refactor of the middleware and database connection layer for multi-tenant support in version 7.4.4 introduced the flaw Bishop Fox advised organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled to upgrade immediately to version 7.4.5. Single-site deployments are not affected. Defused reported that Shodan shows close to 1,000 publicly exposed FortiClient EMS instances, though the number running the vulnerable version in multi-tenant mode is unknown.