Full Report
Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. [...]
Analysis Summary
# Vulnerability: Critical SQL Injection in Fortinet FortiClient EMS
## CVE Details
- **CVE ID:** CVE-2026-21643
- **CVSS Score:** 9.8 (Critical) *(Based on description of unauthenticated RCE via SQLi)*
- **CWE:** CWE-89 (SQL Injection)
## Affected Systems
- **Products:** Fortinet FortiClient Enterprise Management Server (EMS)
- **Versions:** Version 7.2.x through 7.4.4
- **Configurations:** Systems with the FortiClientEMS GUI (web interface) exposed to the internet.
## Vulnerability Description
CVE-2026-21643 is a critical SQL injection vulnerability residing in the web management interface of FortiClient EMS. The flaw allows an unauthenticated attacker to "smuggle" malicious SQL statements through the **'Site'-header** within an HTTP request. By manipulating these headers, attackers can execute arbitrary code or system commands on the underlying server.
## Exploitation
- **Status:** Exploited in the wild (Reports indicate active exploitation began as early as late March 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to database and potential system files)
- **Integrity:** High (Ability to execute commands and modify system data)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
Fortinet has released firmware updates to address this vulnerability. Administrators should upgrade to the following:
- **FortiClient EMS version 7.4.5** or later.
- (Users on the 7.2 branch should verify the latest patch release on the FortiGuard PSIRT portal).
### Workarounds
- **Network Filtering:** Restrict access to the FortiClient EMS web interface (GUI) to internal management networks only.
- **Access Control:** Use Firewall policies to block untrusted IP addresses from reaching the EMS management ports.
## Detection
- **Indicators of Compromise:** Monitor HTTP logs for unusual or malformed strings within the `Site` header.
- **Detection methods and tools:**
- **Shodan/Shadowserver:** Organizations should check if their EMS instances are appearing in public scans (estimated 1,000–2,000 instances currently exposed).
- **Log Analysis:** Audit web server logs for SQL syntax or command injection patterns targeting the management interface.
## References
- **Vendor Advisory:** hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-25-1142
- **Threat Intel:** hxxps[://]x[.]com/defusedcyber/status/2037912573274636781
- **Exposure Profile:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29