A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited.
The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers.
One of the vulnerabilities, CVE-2026-21643, stems from an improper neutralization of special elements in SQL commands, commonly referred to as a SQL Injection flaw (CWE-89). This weakness exists within the administrative interface of FortiClientEMS, allowing unauthenticated attackers to send specially crafted HTTP requests and execute unauthorized code or commands.
Critical SQL Injection Flaw in FortiClientEMS (CVE-2026-21643)
Security researchers have confirmed that this SQL Injection issue is not just theoretical. It has already been observed being exploited in real-world attacks, increasing the urgency for mitigation. Because the flaw does not require authentication, attackers can directly target exposed systems, making it a particularly dangerous entry point.
In terms of affected versions, FortiClientEMS 7.4.4 is vulnerable and requires an upgrade to version 7.4.5 or later. Versions 8.0 and 7.2 are not affected by this issue. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet’s Product Security team. The initial advisory was published on February 6, 2026, with a subsequent clarification removing FortiEMS Cloud from the affected products list.
Improper Access Control Vulnerability (CVE-2026-35616)
The second major flaw, CVE-2026-35616, involves improper access control (CWE-284) in FortiClientEMS. This vulnerability enables attackers to bypass API authentication and authorization mechanisms, again allowing unauthenticated execution of arbitrary code or commands through crafted requests.
Like the SQL Injection flaw, CVE-2026-35616 has also been confirmed to be actively exploited in the wild. The potential impact is severe, as successful exploitation could lead to a complete compromise of the FortiClientEMS server.
The vulnerability was officially published on April 4, 2026, and later added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) Catalog on April 6, 2026. CISA noted that such vulnerabilities are frequently used by malicious actors and pose significant risks, particularly to federal enterprise environments.
Government and Industry Response
The Cyber Security Agency of Singapore (CSA) issued an alert on April 6, 2026, warning of the active exploitation of CVE-2026-35616 in FortiClientEMS deployments. The advisory noted the critical nature of the vulnerability and urged organizations to take immediate action.
According to the alert, “successful exploitation of this vulnerability could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests, potentially resulting in a full compromise of the FortiClient EMS server.” The agency also reiterated that exploitation activity has already been observed in the wild.
Affected Versions and Mitigation Steps
The improper access control vulnerability CVE-2026-35616 affects FortiClientEMS versions 7.4.5 through 7.4.6. Organizations using these versions are advised to apply the available hotfix immediately and upgrade to version 7.4.7 or later once it becomes available.
Fortinet has provided specific guidance for applying fixes through its official release notes for versions 7.4.5 and 7.4.6. The company has indicated that the upcoming FortiClientEMS 7.4.7 release will include a permanent fix, while the currently available hotfix is sufficient to fully mitigate the issue in the interim.
For CVE-2026-21643, upgrading from version 7.4.4 to 7.4.5 or above resolves the SQL Injection vulnerability.
