Threat intelligence researchers have detected active exploitation of a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS).
The security flaw, identified as CVE-2026-21643, allows malicious actors to execute unauthorized database commands.
While attacks have been occurring in the wild for several days, official government tracking lists have yet to classify the flaw as actively exploited, leaving many organizations unaware of the immediate risk.
Fortinet FortiClient EMS Vulnerability
The vulnerability stems from improper sanitization of incoming web requests handled by the FortiClient EMS application.
Attackers are exploiting this weakness by smuggling malicious SQL statements directly through the “Site” header within standard HTTP requests.
When the vulnerable server processes this specially crafted header, the injected SQL commands are executed by the underlying database.
This SQL injection technique allows threat actors to bypass authentication mechanisms, extract sensitive administrative data, or potentially achieve deeper system compromise.
Because the attack relies on manipulating standard HTTP headers, the malicious traffic can easily blend in with legitimate enterprise communications.
This makes detection at the network edge more challenging without specific web application firewall rules targeting the “Site” header anomaly.
Data gathered by the threat intelligence firm Defused indicates that exploitation of CVE-2026-21643 began on or around March 26, 2026.
Despite this active targeting, the vulnerability is currently missing from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
This discrepancy highlights a critical blind spot for organizations that rely solely on government lists to prioritize their patching and remediation cycles.
The potential attack surface for this vulnerability is significant. Scans utilizing the Shodan search engine reveal that approximately 1,000 FortiClient EMS instances are currently exposed directly to the public internet.
Organizations running these internet-facing servers are at immediate risk of compromise if the software remains unpatched.
System administrators operating FortiClient EMS must immediately review their network configurations.
As a primary defense, organizations should remove these management servers from direct internet exposure by placing them behind virtual private networks or secure access gateways.
Furthermore, security teams should closely inspect HTTP traffic logs for anomalous SQL syntax embedded within the “Site” header to identify historical or ongoing compromise attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
