Security & Infrastructure Tools
Critical Fortinet FortiClient EMS flaw now exploited in attacks
Fortinet’s FortiClient EMS platform is being actively exploited via a critical SQL injection flaw (CVE‑2026‑21643) that lets attackers run arbitrary code on unpatched systems through the web interface. The vulnerability, found in version 7.4.4, can be mitigated by upgrading to 7.4.5 or later. Defused reports attacks began four days ago, with nearly 1,000 exposed instances worldwide and over 2,000 identified by Shadowserver, many located in the U.S. and Europe. Fortinet has yet to issue an advisory marking it as exploited, but the flaw follows a pattern of recent Fortinet vulnerabilities being leveraged for ransomware and espionage campaigns.
CRITICAL FORTINET FORTICLIENT EMS FLAW NOW EXPLOITED IN ATTACKS
Fortinet’s FortiClient EMS platform is experiencing active exploitation of a critical vulnerability identified as CVE-2026-21643. Threat intelligence researchers report that this SQL injection flaw allows unauthenticated attackers to execute arbitrary code or commands on unpatched FortiClient EMS deployments by sending crafted HTTP requests to the EMS’s web interface. The exploit rests on manipulating the Site header in requests, enabling threat actors to smuggle SQL statements into the backend.
The vulnerability, discovered by Fortinet’s own product security team, affects FortiClient EMS version 7.4.4. A fix is available—upgrading to version 7.4.5 or later closes the hole. However, Fortinet has not yet publicly updated its security advisory to clearly label the flaw as exploited in the wild, and attempts to obtain an official comment from the vendor were not immediately successful.
Public exposure numbers surrounding this flaw are troubling. Shodan data indicates that roughly 1,000 FortiClient EMS instances are publicly reachable on the internet. Shadowserver’s monitoring shows more than 2,000 FortiClient EMS deployments online, with over 1,400 of those IPs located in the United States and across Europe. Such exposure dramatically raises the risk profile for organizations relying on EMS as a centralized management point.
This isn’t Fortinet’s first encounter with exploitation of remotely accessible management interfaces. Historically, Fortinet vulnerabilities have been leveraged in ransomware campaigns and in cyber espionage operations. More recently, Fortinet mitigated a separate FortiCloud SSO zero-day by blocking related connections from devices with vulnerable firmware until patches could be deployed. The broader pattern—publicly disclosed flaws quickly weaponized against exposed networks—continues to shape defensive priorities for many organizations.
The wider vulnerability landscape also reinforces why such flaws attract immediate attention. In March 2024, U.S. CISA directed federal agencies to patch a FortiClient EMS SQL injection vulnerability that had already been exploited in ransomware campaigns and by state-sponsored actors to breach critical infrastructure. That directive underscored the persistent risk posed by Fortinet products when misconfigured or unpatched. Across the industry, CISA maintains a catalog of actively exploited vulnerabilities, with Fortinet-related flaws frequently featuring in ransomware and espionage campaigns.
For administrators and security teams, the immediate takeaway is clear: inventory FortiClient EMS deployments, verify exposure surfaces, and apply the official patch to 7.4.5 or later as soon as practicable. The exploitation activity and public-facing deployments present a real and present danger to organizations across sectors, and the risk remains elevated for those with EMS instances accessible from the internet.
As this situation develops, defenders are watching for fresh indicators of compromise and any updates from Fortinet regarding exploitation status. The convergence of unpatched systems, internet-facing EMS interfaces, and rapid attacker tooling once again highlights the importance of timely patching and robust network segmentation for centralized management services.
