Critical Fortinet Forticlient EMS flaw now exploited in attacks

Published:

30 maart 2026 om 07:48:17

Alert date:

30 maart 2026 om 08:01:51

Source:

bleepingcomputer.com

Enterprise Applications, Security Tools, Network Infrastructure

Attackers are actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform according to threat intelligence reports. The vulnerability allows remote attackers to compromise the endpoint management system. Organizations using FortiClient EMS are advised to apply security patches immediately. The flaw is being exploited in the wild, posing significant risk to enterprise networks. This represents a serious threat to organizations relying on Fortinet's endpoint management solutions.

Technical details

CVE-2026-21643 is a SQL injection vulnerability in Fortinet's FortiClient EMS platform that allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI web interface via maliciously crafted HTTP requests. Attackers can smuggle SQL statements through the 'Site'-header inside an HTTP request. The vulnerability was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team.

Mitigation steps:

Upgrade FortiClient EMS to version 7.4.5 or later to patch the vulnerability. Organizations should immediately identify and secure any publicly exposed FortiClient EMS instances, as close to 1000 instances are publicly exposed according to Shodan and over 2,000 instances are tracked by Shadowserver with their web interfaces exposed online.

Affected products:

Fortinet FortiClient EMS version 7.4.4

Related CVE's:

CVE-2026-21643

CVE-2026-24858

CVE-2023-48788

Related threat actors:

Salt Typhoon

IOC's:

Maliciously crafted HTTP requests targeting FortiClientEMS GUI, SQL statements smuggled through 'Site'-header in HTTP requests

This article was created with the assistance of AI technology by Perceptive.