# Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643) _Friday, June 26, 2026 at 6:15 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_ ![Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643) — Primary](https://img.helpnetsecurity.com/wp-content/uploads/2025/01/16140047/fortinet-1500-3.webp) A critical SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server is under active exploitation, according to threat intelligence firm Defused. The flaw, identified as CVE-2026-21643, was discovered internally by Fortinet Product Security team member Gwendal Guégniaud. It stems from improper neutralization of special elements in SQL commands and affects only deployments running FortiClientEMS version 7.4.4. Remote unauthenticated attackers can exploit it by sending specially crafted HTTP requests to internet-exposed administrative interfaces, potentially allowing unauthorized code or command execution. Defused stated that exploitation was first observed four days ago through its honeypot data, even though the vulnerability remains unmarked on CISA and other known exploited vulnerabilities lists. Fortinet has not yet confirmed the exploitation reports. The company fixed the issue in version 7.4.5, released in December 2026. Branches 7.2 and 8.0 are not affected. Bishop Fox researchers published a technical analysis of the vulnerability in early March 2026. They noted that a refactor of the middleware and database connection layer for multi-tenant support in version 7.4.4 introduced the flaw by passing a tenant-identifying HTTP header directly into a PostgreSQL database query without sanitization and before any login check. A single crafted request can execute arbitrary SQL, granting access to administrative credentials, endpoint inventory data, security policies, and certificates for managed endpoints. Bishop Fox advised organizations running FortiClient EMS 7.4.4 with multi-tenant mode enabled to upgrade immediately to version 7.4.5. Single-site deployments are not affected. Defused reported that Shodan shows close to 1,000 publicly exposed FortiClient EMS instances, though the number running the vulnerable version in multi-tenant mode is unknown. ## Sources - [Help Net Security](https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/) --- Canonical: https://techandbusiness.org/newswire/dwShKCC5FBZlnWiQ1QUiNu Retrieved: 2026-06-27T04:15:06.100Z Publisher: Tech & Business (techandbusiness.org)