A critical security vulnerability has been discovered in Fortinet’s FortiClient EMS (Endpoint Management Server), potentially exposing organizations to remote code execution attacks.
The flaw, tracked as CVE-2026-21643, was disclosed on February 6, 2026, and carries a severe CVSS score of 9.1 out of 10.
FortiClient EMS Vulnerability
The vulnerability stems from an SQL injection flaw in the FortiClient EMS administrative interface.
SQL injection occurs when attackers manipulate database queries by inserting malicious code through input fields.
In this case, the software fails to properly sanitize special characters in SQL commands, creating an opening for exploitation.
| Data Point | Details |
|---|---|
| CVE ID | CVE-2026-21643 |
| Product | FortiClient EMS (Endpoint Management Server) |
| Vulnerability Type | SQL Injection (SQLi) in Administrative Interface |
| Severity | Critical |
| CVSS Score | 9.1 (out of 10) |
What makes this vulnerability particularly dangerous is that it requires no authentication.
Unauthenticated attackers can exploit the flaw remotely over the network by sending specially crafted HTTP requests to vulnerable systems.
This means attackers don’t need valid credentials or physical access to compromise affected servers.
Successful exploitation allows attackers to execute unauthorized code or commands on vulnerable systems, potentially leading to complete system compromise.
Attackers could steal sensitive data, install malware, or use compromised systems as launching points for further attacks within an organisation’s network.
The vulnerability affects FortiClient EMS version 7.4.4 specifically. Organizations using this version should take immediate action.
Notably, FortiClient EMS versions 7.2 and 8.0 are not affected by this security issue, and FortiEMS Cloud users are also safe.
Fortinet has released version 7.4.5 to address this critical vulnerability. Organizations running FortiClient EMS 7.4.4 should upgrade immediately to version 7.4.5 or later to protect their systems.
The vulnerability was discovered internally by Gwendal Guégniaud of Fortinet’s Product Security team, demonstrating the importance of proactive security research.
The relatively short timeline between discovery and public disclosure reflects the severity of the issue.
System administrators should prioritize patching affected FortiClient EMS installations immediately.
Before updating, organizations should review their systems to identify vulnerable versions, schedule maintenance windows for upgrades, and verify successful patch deployment.
Monitoring network logs for suspicious HTTP requests targeting the administrative interface can help detect potential exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
