A critical Fortinet FortiClient EMS vulnerability, CVE-2026-21643, is now being reported as actively exploited in real-world attacks. The bug is a pre-auth SQL injection issue that can let attackers run unauthorized commands through specially crafted HTTP requests to the EMS web interface.
Fortinet’s release notes identify FortiClient EMS 7.4.4 as vulnerable and state the issue is fixed in 7.4.5 and later. If your EMS console is exposed to the internet (or broadly reachable internally), this should be treated as a priority patch.
This is especially important because EMS is usually connected to endpoint fleet management, making it a high-impact target for lateral movement after initial compromise.
How to check if you’re affected
Affected versions: FortiClient EMS 7.4.4 (CVE-2026-21643). Fortinet documentation indicates 7.4.5+ contains the fix.
- Log in to your FortiClient EMS admin console and confirm the exact server version.
- If you are on 7.4.4, schedule emergency upgrade to 7.4.5 or newer.
- Review web server and EMS logs for unusual or repeated crafted HTTP requests to the EMS GUI, especially from unknown IPs.
- Restrict EMS web interface access to trusted admin networks only (VPN/IP allowlist), not public internet.
- If exposure is suspected, rotate privileged credentials and review endpoint policy changes made recently.
What to do now
- Patch first, then harden interface exposure.
- Add temporary detection for unusual SQL-like request patterns hitting EMS endpoints.
- Treat any internet-exposed 7.4.4 instance as potentially at risk until reviewed.