Attackers are actively exploiting CVE-2026-21643, a critical SQL injection in Fortinetβs FortiClient EMS that allows unauthenticated actors to execute arbitrary code via the EMS web interface. The flaw affects FortiClient EMS 7.4.4 and can be remediated by upgrading to 7.4.5 or later, while thousands of instances remain exposed online according to Shodan and Shadowserver. #CVE202621643 #FortiClientEMS
Keypoints
- Attackers are actively exploiting CVE-2026-21643, an SQL injection in FortiClient EMS.
- The vulnerability lets unauthenticated actors execute arbitrary code via crafted HTTP requests.
- The exploit abuses the βSiteβ header to smuggle SQL statements into the EMS GUI.
- FortiClient EMS version 7.4.4 is affected; upgrade to 7.4.5 or later to patch the issue.
- Shodan and Shadowserver report thousands of exposed EMS instances, many in the US and Europe.