Exploitation of Critical Fortinet FortiClient EMS Flaw Begins

Summary

Threat actors are actively exploiting CVE-2026-21643, a critical unauthenticated SQL injection vulnerability in Fortinet FortiClient EMS version 7.4.4 that enables remote arbitrary code execution. The flaw was patched in February 2026, but after Bishop Fox published technical details in March, exploitation began within days; as of March 30, over 2,000 internet-accessible instances are exposed. Attackers can abuse the /api/v1/init_consts endpoint to extract admin credentials, endpoint inventory, security policies, and certificates without authentication or rate-limiting.

Full text

Threat actors have started exploiting a critical-severity vulnerability in Fortinet FortiClient EMS, threat intelligence firm Defused Cyber warns. A centralized management server, FortiClient EMS allows organizations to deploy, configure, and monitor FortiClient endpoints across their environments. It also supports multi-tenant deployments, enabling the management of multiple customer sites from a single instance. Tracked as CVE-2026-21643, the now-exploited bug is described as an SQL injection issue that can be exploited remotely, without authentication, via specially crafted HTTP requests. Successful exploitation of the flaw, Fortinet notes in its advisory, could lead to arbitrary code or command execution. The security defect impacts FortiClient EMS version 7.4.4 and was patched in early February in version 7.4.5. According to Fortinet, the vulnerability was discovered internally. One month after public disclosure, cybersecurity firm Bishop Fox published technical information on the bug, warning that it was practical to exploit.Advertisement. Scroll to continue reading. “Our analysis shows attackers can abuse the publicly accessible /api/v1/init_consts endpoint to trigger the SQL injection before authentication. Because this endpoint returns database error messages and has no lockout protections, attackers can rapidly extract sensitive data from vulnerable FortiClient EMS 7.4.4 multi-tenant deployments,” Bishop Fox warned. The issue, the cybersecurity company said, was introduced in version 7.4.4 through a redesigned middleware stack and database connection layer that resulted in HTTP identification headers being passed to a database query without sanitization, before authentication. This enables an attacker to execute arbitrary SQL code against the database and access admin credentials, endpoint inventory, security policies, and endpoint certificates. Proof-of-concept (PoC) code targeting the vulnerability has been published online. Over the weekend, Defused warned that CVE-2026-21643 had been exploited for at least four days and that roughly 1,000 FortiClient EMS deployments are exposed to the internet. As of March 30, The Shadowserver Foundation tracks over 2,000 internet-accessible instances. It is unclear how many of the exposed deployments are vulnerable, and Fortinet has yet to update its advisory to flag the bug as exploited. SecurityWeek has emailed Fortinet for a statement on the flaw’s exploitation and will update this article if the company responds. Related: StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Related: Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Related: Exploitation of Fresh Citrix NetScaler Vulnerability Begins Related: F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Telnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability BeginsF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesCoruna iOS Exploit Kit Likely an Update to Operation TriangulationHightower Holding Data Breach Impacts 130,000 Latest News Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsCritical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Healthcare IT Platform CareCloud Probing Potential Data BreachSilent Drift: How LLMs Are Quietly Breaking Organizational Access ControlHuskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-21643
• mitre_attack — T1190
• mitre_attack — T1059