Two actively exploited vulnerabilities in Fortinet’s FortiClientEMS allow unauthenticated remote code execution: a critical SQL Injection (CVE-2026-21643) and an improper access control/API bypass (CVE-2026-35616). Fortinet has issued hotfixes and upgrades (upgrade 7.4.4→7.4.5+ for the SQLi; apply the hotfix and move to 7.4.7+ for the access control issue) while CISA and Singapore’s CSA have warned organizations to patch immediately. #FortiClientEMS #CVE-2026-21643 #CVE-2026-35616
Keypoints
- Both CVE-2026-21643 (SQL Injection) and CVE-2026-35616 (improper access control) are being actively exploited in the wild.
- CVE-2026-21643 is an unauthenticated SQL injection in the FortiClientEMS administrative interface affecting version 7.4.4.
- CVE-2026-35616 allows attackers to bypass API authentication/authorization and affects FortiClientEMS 7.4.5–7.4.6, risking full server compromise.
- Fortinet advises upgrading 7.4.4 to 7.4.5+ to fix the SQLi and applying the hotfix (then upgrading to 7.4.7+) to remediate the access control flaw.
- CISA added CVE-2026-35616 to its KEV catalog and Singapore’s CSA issued alerts, urging immediate patching and mitigation.
Read More: https://thecyberexpress.com/forticlientems-flaws-under-active-exploitation/