Critical Fortinet Forticlient EMS flaw now exploited in attacks

Summary

Attackers are actively exploiting CVE-2026-21643, a critical SQL injection vulnerability in Fortinet's FortiClient EMS platform that allows unauthenticated remote code execution via malicious HTTP requests. The flaw affects version 7.4.4 and earlier; Fortinet has released patches in version 7.4.5. Shadowserver reports over 2,000 FortiClient EMS instances exposed online, with nearly 1,400 in the US and Europe, creating significant attack surface for ransomware and espionage campaigns.

Full text

Critical Fortinet Forticlient EMS flaw now exploited in attacks By Sergiu Gatlan March 30, 2026 03:48 AM 0 Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. Tracked as CVE-2026-21643, this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests. "Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend. "Attackers can smuggle SQL statements through the 'Site'-header inside an HTTP request. According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed." The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later. Fortinet has yet to update its security advisory and flag the vulnerability as exploited in the wild. BleepingComputer reached out to a Fortinet spokesperson to confirm reports of active exploitation, but a response was not immediately available. Internet security watchdog group Shadowserver is currently tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe. FortiClient EMS exposed online (Shadowserver) A separate Shodan search shows more than FortiClient EMS, with most exposed instances in the United States. Fortinet vulnerabilities are frequently exploited to breach corporate networks in ransomware attacks and cyber espionage campaigns (often as zero-day bugs while patches are still pending). Most recently, Fortinet mitigated CVE-2026-24858 zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. Two years ago, in March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers. In total, CISA has flagged 24 Citrix vulnerabilities as actively exploited, 13 of which were used in ransomware attacks. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: CISA: New Langflow flaw actively exploited to hijack AI workflowsCISA: BeyondTrust RCE flaw now exploited in ransomware attacksOne threat actor responsible for 83% of recent Ivanti RCE attacksCISA gives feds 3 days to patch actively exploited BeyondTrust flawCritical BeyondTrust RCE flaw now exploited in attacks, patch now

Indicators of Compromise

• cve — CVE-2026-21643
• cve — CVE-2026-24858