Fortinet FortiClient EMS, unauthenticated SQL injection

Overview

CVE-2026-21643 is a critical (CVSS 9.8) SQL injection vulnerability in Fortinet FortiClient EMS (Enterprise Management Server), the centralized platform used to provision, manage, and monitor FortiClient endpoint agents. An unauthenticated, remote attacker can send specially crafted HTTP requests to execute unauthorized code or commands against the management server. Fortinet documented the issue in advisory FG-IR-25-1142, and NVD published the record on February 6, 2026. CISA added the CVE to its Known Exploited Vulnerabilities catalog on April 13, 2026, confirming exploitation in the wild.

Technical Details

The vulnerability is classified as CWE-89 (improper neutralization of special elements used in an SQL command). FortiClient EMS fails to properly sanitize attacker-supplied input contained in HTTP requests before it is incorporated into a backend SQL query, allowing an unauthenticated attacker to manipulate query logic. Because the affected database integration can be leveraged to run unauthorized code or commands, the impact extends beyond data disclosure to potential server compromise. No authentication or user interaction is required, and the attack is delivered over the network. The CVSS base score on the NVD record is 9.8 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scored by Fortinet as the CNA. The flaw affects FortiClientEMS versions 7.4.0 through 7.4.4.

Impact

• Unauthenticated SQL injection against the FortiClient EMS management server.
• Potential execution of unauthorized code or commands on the server.
• Disclosure or tampering of the EMS database, including endpoint inventory and policy data.
• Compromise of the central management plane, enabling downstream impact on managed FortiClient endpoints.

Mitigation

1. Upgrade FortiClientEMS to version 7.4.5 or above, per Fortinet advisory FG-IR-25-1142.
2. No vendor workaround is available; applying the fixed version is the only remediation.
3. Restrict network exposure of the FortiClient EMS administrative and enrollment interfaces to trusted networks while upgrading.
4. After upgrading, review the EMS database and host for signs of prior compromise and rotate any credentials or secrets stored by or accessible to the server.

Detection

Review the FortiClient EMS web server and application logs for crafted HTTP requests containing SQL metacharacters, tautologies, UNION/SELECT fragments, stacked queries, or unusual encoded payloads directed at EMS endpoints, especially from untrusted or unauthenticated sources. Because the flaw can be leveraged to execute unauthorized code or commands, also inspect the underlying host for anomalous database errors, unexpected child processes spawned by the EMS or database service, newly written files, and unexpected outbound connections. Examine the EMS database for unauthorized reads or modifications, new or altered administrative accounts, and changes to managed-endpoint policies that were not made through legitimate administrative workflows. Compare the running build against the fixed version (7.4.5 or later); since Fortinet provides no workaround, an unpatched 7.4.0-7.4.4 server that was reachable should be treated as at risk. Correlate findings with Fortinet PSIRT guidance in FG-IR-25-1142 and with any vendor- or community-published indicators of compromise. CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities catalog on April 13, 2026; the catalog does not currently flag ransomware-campaign use, but active exploitation is confirmed, so management servers that were internet-exposed while unpatched warrant a focused compromise assessment, credential rotation, and verification that connected endpoints have not received tampered policies or software. To operationalize this, inventory every FortiClient EMS instance, identify which fall in the affected 7.4.0-7.4.4 range and which were reachable from untrusted networks, and prioritize those for investigation. At the database layer, enable or review query auditing for malformed statements, injection-style errors, and reads or writes against tables holding administrator credentials, endpoint records, and policy definitions that do not correspond to legitimate administration. Because EMS is the control plane for a fleet of endpoints, extend the review downstream: confirm that managed FortiClient agents received only legitimate, signed software and policy updates during the exposure window, and watch for unexpected configuration pushed from the server. Since Fortinet provides no workaround, an unpatched server cannot be safely left in place; confirm remediation by validating the running build is 7.4.5 or later, preserve logs before upgrading, and treat eradication as incomplete until the server is patched, server-side and stored credentials are rotated, and the integrity of connected endpoints is confirmed.