Fortinet has issued urgent security updates to address a critical FortiClientEMS SQL injection vulnerability. This high-severity flaw, designated CVE-2026-21643, carries a CVSS score of 9.1 out of 10.0 and could permit unauthenticated attackers to execute arbitrary code on vulnerable FortiClientEMS instances through specially crafted HTTP requests.
The cybersecurity vendor announced the fix on February 10, 2026, following its discovery by Gwendal Guégniaud of the Fortinet Product Security team. While Fortinet has not confirmed any existing exploitation in the wild, prompt application of the security patches is strongly advised for all affected users to prevent potential compromise.
FortiClientEMS Vulnerability Requires Immediate Action
The SQL injection vulnerability, classified under CWE-89, arises from improper neutralization of SQL command elements within FortiClientEMS. This oversight enables attackers to bypass security controls and potentially gain unauthorized command execution capabilities. The severity of this Fortinet flaw underscores the persistent risks associated with web application security and the ongoing need for robust patching strategies.
The following versions of FortiClientEMS are impacted by this critical security flaw:
- FortiClientEMS 7.4.4 requires an upgrade to version 7.4.5 or later to be secured.
- FortiClientEMS 7.2 and 8.0 are not affected by this specific vulnerability.
Fortinet’s advisory emphasized that an unauthenticated attacker could exploit this weakness by sending specifically crafted HTTP requests. This could lead to the execution of unauthorized code or commands, potentially granting attackers deep access to sensitive systems and data managed by FortiClientEMS. Network security professionals are scrutinizing the implications of such an exploit, particularly in enterprise environments where FortiClientEMS plays a crucial role in endpoint security management.
Broader Security Landscape and Fortinet’s Ongoing Efforts
This critical FortiClientEMS vulnerability emerges shortly after Fortinet addressed another significant security concern. A separate critical vulnerability (CVE-2026-24858, CVSS 9.4) was found in multiple Fortinet products, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb. This other flaw allowed attackers with a FortiCloud account to access other devices registered to different accounts if FortiCloud SSO authentication was enabled.
Fortinet has acknowledged that the latter vulnerability was actively exploited in the wild. Threat actors were reportedly using it to establish local administrator accounts for persistence, modify configurations to grant VPN access, and exfiltrate firewall configurations. This dual disclosure highlights an active period of vulnerability discovery and exploitation targeting Fortinet’s product suite, emphasizing the importance of comprehensive security monitoring and rapid patch deployment across all their solutions.
The active exploitation of the FortiOS-related flaw signals a heightened threat level for organizations relying on these network devices. The ability for attackers to gain persistence and exfiltrate sensitive configuration data poses a substantial risk to an organization’s network integrity and data confidentiality. This situation serves as a stark reminder for organizations to maintain vigilant security practices, including regular vulnerability scanning and prompt patching of all network infrastructure and endpoint security solutions.
Looking ahead, Fortinet users are advised to prioritize the immediate deployment of the security updates for the affected FortiClientEMS versions. The ongoing cybersecurity landscape necessitates swift responses to critical vulnerabilities to mitigate potential damage and maintain a strong security posture. Further advisories from Fortinet regarding any new threats or the status of deployed patches will be closely monitored by security professionals worldwide.