Fortinet has issued an urgent security advisory addressing a critical vulnerability in FortiClientEMS, its centralized management solution for endpoint protection, which could allow attackers to execute arbitrary code without authentication.
The flaw, tracked as CVE-2026-21643, has been assigned a CVSSv3 score of 9.1 out of 10. According to Fortinet, the vulnerability is an SQL Injection (SQLi) issue, formally described as an “improper neutralization of special elements used in an SQL Command” (CWE-89).
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests,” Fortinet noted in its advisory.
The flaw affects the following versions:
- FortiClientEMS 7.2: Not affected
- FortiClientEMS 7.4.4: Users must upgrade to 7.4.5 or above
- FortiClientEMS 8.0: Not affected
The vulnerability resides in the Graphical User Interface (GUI) component of the software. Insufficient input sanitization allows attackers to manipulate database queries through specially crafted HTTP requests, effectively bypassing authentication measures and gaining control over the underlying system. This poses a significant risk for enterprise environments, as FortiClientEMS typically manages endpoint security policies, antivirus deployments, and compliance reporting across an organization’s network.
Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw. While Fortinet has not confirmed any active exploitation in the wild for CVE-2026-21643, it is strongly recommended that users apply the update immediately.
This advisory follows the company’s recent disclosure of another critical-severity flaw affecting FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb (CVE-2026-24858, CVSS 9.4). That vulnerability allowed attackers with a FortiCloud account and a registered device to access other devices registered to different accounts if FortiCloud SSO authentication was enabled. Fortinet has confirmed that the issue was actively exploited to create local admin accounts, alter configurations to gain VPN access, and exfiltrate firewall configurations.
Administrators are urged to prioritize patching FortiClientEMS to prevent potential unauthorized access and mitigate risks associated with this critical SQLi vulnerability.
