The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently added a critical vulnerability affecting Fortinet FortiClient Enterprise Management Server (EMS) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-21643, poses a severe risk to corporate networks.
The Impact of CVE-2026-21643
The vulnerability is a SQL Injection (SQLi) flaw in the DB2 administration component of FortiClient EMS. FortiClient EMS is a centralized management solution used by organizations to provision and manage endpoint security across their network.
By sending specifically crafted requests, an unauthenticated remote attacker can exploit this SQL injection vulnerability to execute arbitrary SQL queries against the underlying database. This allows the attacker to:
- Extract sensitive configuration data and administrative credentials.
- Modify database entries to grant themselves unauthorized access.
- In worst-case scenarios, achieve remote code execution on the server hosting the EMS instance, potentially leading to full network compromise.
Given its inclusion in the CISA KEV catalog, federal agencies are mandated to patch this flaw immediately, and private sector organizations are highly encouraged to do the same due to active exploitation by threat actors.
How to check if you’re affected
- Identify Your Version: Check the version of your FortiClient EMS deployment. According to Fortinet’s advisory, multiple 7.0 and 7.2 release trains are affected.
- Apply the Patch: Upgrade your FortiClient EMS installation to the latest secure version specified by Fortinet (e.g., 7.2.5 or later, 7.0.12 or later).
- Review Logs: Administrators should thoroughly review EMS access logs and database query logs for any suspicious activity or indicators of compromise (IoCs) related to SQL injection patterns.