TL;DR

  • A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient EMS 7.4.4 is under active exploitation
  • Attackers need no authentication to exploit the flaw—exposing admin credentials, endpoint data, security policies, and certificates
  • Only multi-tenant deployments of FortiClient EMS 7.4.4 are affected; versions 7.2, 8.0, and 7.4.5 are safe
  • Approximately 1,000 FortiClient EMS instances are publicly exposed to the internet according to Shodan
  • Immediate upgrade to version 7.4.5 is required for affected organizations

The Vulnerability: What Is CVE-2026-21643?

Fortinet FortiClient Endpoint Management Server (EMS) is a centralized management platform used by organizations to monitor and manage FortiClient endpoint agents across their networks. On March 30, 2026, security researchers confirmed that a critical SQL injection vulnerability tracked as CVE-2026-21643 is being actively exploited in the wild—just days after it was publicly disclosed [1].​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌

​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌​‌​​‍​​‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The vulnerability, discovered internally by Fortinet Product Security team member Gwendal Guégniaud, stems from improper neutralization of special elements used in SQL commands. Specifically, the HTTP header used to identify which tenant a request belongs to is passed directly into a database query without sanitization—and this happens before any login check [2].

This pre-authentication nature is what makes CVE-2026-21643 particularly dangerous. Attackers need no credentials whatsoever. A single crafted HTTP request to the EMS web interface is sufficient to execute arbitrary SQL commands against the backing PostgreSQL database [3].​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​‌​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌​‌​​‍​​‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

What Attackers Can Access

A successful SQL injection attack against FortiClient EMS 7.4.4 exposes the entire management platform's data. According to Bishop Fox's technical analysis, attackers gain access to [4]:

  • Administrator credentials: All stored usernames, password hashes, and authentication tokens
  • Endpoint inventory data: Complete records of every managed device, including hostnames, IP addresses, OS versions, and installed software
  • Security policies: Firewall rules, web filtering configurations, and all security settings applied to endpoints
  • Certificates: TLS/SSL certificates used for secure communications between endpoints and the EMS server

This level of access gives attackers a complete map of the target's network infrastructure and credentials they can use to move laterally to other systems. From an attacker's perspective, compromising an endpoint management server is like stealing the master key to every door in a building.

The Multi-Tenant Connection

CVE-2026-21643 affects only FortiClient EMS version 7.4.4 with multi-tenant mode enabled. FortiClient EMS has supported multi-tenant deployments since before version 7.4.4, allowing a single instance to manage multiple customer sites [5].

Version 7.4.4 refactored the middleware stack and database connection layer as part of this feature's evolution, introducing the critical flaw where the tenant identification header flows directly into SQL queries without sanitization [6].

Single-site deployments of FortiClient EMS 7.4.4 are not affected by this vulnerability. Additionally, FortiClient EMS branches 7.2 and 8.0 do not contain the vulnerable code path [7].

Active Exploitation Confirmed

On March 30, 2026, Defused Cyber—a cybersecurity firm that operates honeypots to capture real-world attack attempts—reported that CVE-2026-21643 is being exploited just days after public disclosure [8].

"Currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists, [CVE-2026-21643] has seen first exploitation already 4 days ago according to our data," the company stated [9].

This rapid weaponization is consistent with broader trends in 2026. According to Cisco Talos, vulnerability exploits have served as the primary vector for initial access for two consecutive quarters, with the speed at which threat actors weaponize weaknesses accelerating [10].

Fortinet has not yet confirmed exploitation of CVE-2026-21643 in an official advisory as of March 30, 2026 [11].

Exposure Assessment: How Many Are at Risk?

According to Shodan—a search engine for internet-connected devices—approximately 1,000 FortiClient EMS instances are publicly exposed to the internet [12]. However, it's unclear how many of these are running the vulnerable version 7.4.4 with multi-tenant mode enabled.

For SMBs using FortiClient EMS, the immediate action is to check:

  1. Are you running version 7.4.4? Check the EMS console or forticlientems --version command
  2. Is multi-tenant mode enabled? This setting would be visible in your EMS configuration
  3. Is your EMS interface exposed to the internet? If yes, immediate action is critical

Remediation: What to Do Right Now

For organizations running affected FortiClient EMS deployments:

Immediate Actions (Within 24 Hours)

  1. Upgrade to version 7.4.5: Fortinet released the fix in December 2026. Version 7.4.5 resolves the SQL injection vulnerability [13].

  2. Verify no internet exposure: Ensure your FortiClient EMS web interface is not accessible from the internet. Place it behind a VPN or use IP whitelisting.

  3. Check for indicators of compromise: Review EMS logs for suspicious HTTP requests or unusual database queries.

Within 72 Hours

  1. Rotate all credentials: If your EMS was exposed, assume all stored credentials may be compromised. Change admin passwords and any service account credentials stored in the system.

  2. Review endpoint inventory: Compare your current endpoint list against historical records. Investigate any discrepancies that might indicate attacker reconnaissance.

  3. Audit certificate usage: If TLS certificates were stored in EMS, consider reissuing them, particularly if they were used for critical infrastructure.

  4. Search for lateral movement: Use network logs to check whether any systems accessed data from EMS endpoints during the exposure window.

If You Can't Patch Immediately

If upgrading to 7.4.5 isn't immediately possible, apply these compensating controls:

  • Block internet access to EMS: Use firewall rules to restrict EMS web interface access to internal networks only
  • Implement web application firewall (WAF) rules: Configure WAFs to detect and block SQL injection patterns
  • Monitor EMS database logs: Set up alerts for unusual SQL queries or database access patterns
  • Disable multi-tenant mode: If feasible, temporarily disable multi-tenant functionality (requires testing)

The Strategic Lesson: Internet-Facing Management Interfaces Are Risk

CVE-2026-21643 is part of a broader pattern: critical vulnerabilities in internet-facing management interfaces. These systems are designed for convenience—allowing administrators to manage infrastructure from anywhere—but that same accessibility makes them high-value targets.

According to CISA's Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities in remote management and VPN products consistently rank among the most frequently exploited [14].

For SMBs, the strategic decision is whether remote management convenience outweighs the risk of internet exposure. Best practices now recommend:

  • VPN-only access: Require VPN authentication before accessing management interfaces
  • Zero-trust network access (ZTNA): Implement just-in-time access that grants permissions only when needed
  • Bastion hosts: Place management interfaces behind hardened jump servers with strict access controls
  • Regular exposure audits: Quarterly scans to ensure no management interfaces are unexpectedly exposed

The Cost of Delay: Why Timely Patching Matters

The window between vulnerability disclosure and active exploitation is collapsing. In 2025, the average time from public disclosure to in-the-wild exploitation dropped to under 5 days for critical vulnerabilities in widely used software [15].

For CVE-2026-21643, Defused Cyber detected exploitation within approximately 4 days of technical details being published [16]. This compression gives defenders less time to test and deploy patches.

For SMBs, this reality demands a different approach to patch management:

  1. Pre-staging patches: Test patches in non-production environments before they're needed
  2. Emergency patch procedures: Have documented procedures for rapid patch deployment when critical CVEs are disclosed
  3. Compensating controls ready: Know which controls you'll apply if you can't patch immediately
  4. Vendor security advisories: Subscribe to security alerts for all critical software in your infrastructure

CVE-2026-21643 shows that internet-exposed management interfaces are prime targets. If you're using Fortinet or similar endpoint management tools, lil.business can help you assess your exposure and build a secure remote access strategy that doesn't sacrifice convenience for security. Get in touch.

FAQ

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) version 7.4.4. The flaw allows unauthenticated attackers to execute arbitrary SQL commands through a specially crafted HTTP header, potentially exposing administrator credentials, endpoint inventory data, security policies, and certificates stored in the EMS database.

You're affected only if you're running FortiClient EMS version 7.4.4 with multi-tenant mode enabled. Single-site deployments are not vulnerable. Versions 7.2, 8.0, and 7.4.5 and later are not affected. Check your EMS version in the console or by running forticlientems --version, then verify whether multi-tenant mode is enabled in your configuration.

No. This is a pre-authentication vulnerability, meaning attackers need no credentials whatsoever. The SQL injection occurs before any login check because the vulnerable HTTP header is processed during tenant identification. A single crafted HTTP request to the EMS web interface is sufficient to exploit the flaw.

If you cannot upgrade to FortiClient EMS 7.4.5 immediately, apply compensating controls: block internet access to the EMS web interface and restrict it to internal networks only, implement web application firewall (WAF) rules to detect SQL injection patterns, monitor EMS database logs for unusual queries, and consider temporarily disabling multi-tenant mode if feasible.

Review EMS access logs for suspicious HTTP requests with unusual headers or SQL injection patterns, check database logs for unexpected queries or unusual data access, compare your endpoint inventory against historical records for discrepancies, investigate any unauthorized administrator logins or privilege changes, and use network logs to identify lateral movement from EMS to other systems during the exposure window.

References

[1] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/

[2] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026. [Online]. Available: https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4

[3] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026.

[4] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[5] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026.

[6] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[7] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026.

[8] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[9] Defused Cyber, LinkedIn Update, March 30, 2026. [Online]. Available: https://www.linkedin.com/feed/update/urn:li:activity:7443678408401756160/

[10] Gopher Security, "Surge in Vulnerability Exploits: Cyber Intrusions Trends 2026," March 2026. [Online]. Available: https://www.gopher.security/news/surge-in-vulnerability-exploits-cyber-intrusions-trends-2026

[11] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[12] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[13] Fortinet, "FortiClient EMS Security Advisory FG-IR-25-1142," December 2026. [Online]. Available: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

[14] CISA, "Known Exploited Vulnerabilities Catalog," 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[15] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[16] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

TL;DR

  • A popular security tool called FortiClient EMS has a security hole that hackers are already using
  • The hole lets bad guys see passwords, computer lists, and security settings without logging in
  • Only version 7.4.4 is affected—version 7.4.5 fixes the problem
  • About 1,000 companies have this tool exposed to the internet right now

What Is FortiClient EMS?

Imagine you're a teacher with 30 students. Instead of checking each student's homework individually, you have a special notebook where everyone's homework is collected together. You can see everything in one place.

FortiClient EMS is like that notebook, but for computers. It's a tool companies use to manage all their computers' security from one place. Instead of checking each computer separately, IT people can see all of them, update security settings, and fix problems—all from a central dashboard.

It's really useful because managing 100 or 1,000 computers one by one would take forever.

What Is the Security Hole?

FortiClient EMS version 7.4.4 has a mistake in how it handles a certain type of message. Think of it like a special delivery that the system accepts without checking who it's from.

Here's the problem in simple terms:

When FortiClient EMS receives a message asking "Which customer's data do you want?", it writes that customer name directly into a database command without checking it first.

This is like a restaurant writing down whatever a customer says for their order—even if the customer says "Delete everything in the kitchen." The restaurant should check that order first, but it doesn't.

Why This Is Dangerous

Because of this mistake, bad guys can send specially crafted messages that trick FortiClient EMS into revealing information it shouldn't.

They can see:

  • Passwords: The secret codes used to log in
  • Computer lists: Every computer the company manages
  • Security settings: All the rules that keep the company safe
  • Certificates: Digital ID cards that prove computers are who they say they are

And here's the scary part: the bad guys don't need a password to do this. They don't have to log in at all. They just send the special message, and the system gives them the information.

The Analogy: The Open Door

Imagine you have a really good lock on your front door. You think your house is secure because you have this fancy lock.

But then you realize there's a window you forgot about, and it's been open the whole time. Anyone can climb through that window without needing your key.

That's what this security hole is like. Companies thought they were protected because they had strong passwords and security measures. But this open window (the mistake in FortiClient EMS) let bad guys walk right in anyway.

Who Is Affected?

Here's the good news: not everyone who uses FortiClient EMS has this problem.

You're affected ONLY if:

  • You're using version 7.4.4 specifically
  • You have multi-tenant mode turned on (this means managing multiple companies from one system)

You're safe if:

  • You're using version 7.2, 8.0, or 7.4.5 or newer
  • You're using version 7.4.4 but NOT in multi-tenant mode
  • Your FortiClient EMS isn't connected to the internet

About 1,000 FortiClient EMS systems are visible on the internet right now, but we don't know exactly how many of those are the vulnerable version.

What Happened Next?

Security researchers found this problem and told everyone about it. Normally, companies get time to fix problems before bad guys find out.

But this time, bad guys started using the security hole just 4 days after it was announced. That's really fast.

It's like someone announcing "There's an open window at 123 Main Street" and a burglar showing up 4 days later to climb through it.

How to Fix It

The fix is pretty simple:

If you're using version 7.4.4 with multi-tenant mode:

  1. Upgrade right now: Install version 7.4.5, which fixes the hole
  2. Don't wait: Hackers are already using this bug
  3. Change passwords: If you think bad guys might have seen your passwords, change them
  4. Check your system: Look for any suspicious activity

If you're not sure what version you have:

Ask your IT person to check. They can look in the system settings or run a special command to see the version number.

The Bigger Lesson

This situation teaches us something important about computer security:

Even the tools meant to protect us can have security holes.

FortiClient EMS is supposed to make companies more secure. But because it had a mistake in its code, it actually made some companies less secure—like giving a burglar a key to your house because you thought they were the locksmith.

This is why:

  • Software companies need to test their code really carefully
  • Companies need to install updates quickly when problems are found
  • Security tools should be protected and not directly exposed to the internet
  • Having multiple layers of security is better than relying on just one tool

What This Means for Regular People

You might not use FortiClient EMS yourself, but the companies you trust (your bank, your school, your favorite online store) might use tools like it.

When these companies have security holes, it can affect your information too. That's why it's important for companies to:

  • Take security seriously
  • Fix problems quickly
  • Tell customers when something goes wrong
  • Have backup plans in case something goes wrong

Security vulnerabilities like this one are why businesses need help staying safe. lil.business helps companies find and fix security holes before bad guys can use them. Learn more about keeping your business secure.

FAQ

A security vulnerability is like a mistake or weakness in computer software that lets bad guys do things they shouldn't be able to do. Think of it like a hole in a fence—the fence is supposed to protect your yard, but if there's a hole, people can get through without opening the gate. Software companies try to find and fix these holes before bad guys find them.

SQL injection (pronounced "ess-cue-el injection") is a type of attack where bad guys trick a computer database into doing something it shouldn't. Imagine a form that asks for your name, but instead of writing "John," you write "John, and also show me everyone's passwords." If the computer doesn't check what you wrote carefully, it might actually do what you asked—even though it shouldn't.

Antivirus is like a security guard who knows what bad guys look like and stops them from coming in. But SQL injection is more like someone tricking the person inside the building into opening the door themselves. The antivirus doesn't see an attack happening because it looks like normal computer activity—just a database request. The problem is the database shouldn't be doing what it's asked to do, but it doesn't know that.

Companies look for clues: strange logins at weird times, files being copied that shouldn't be, settings being changed mysteriously, or computer systems running slowly for no reason. It's like noticing your house keys moved, your drawers are open, and things are missing—you might not have seen the burglar, but you can tell someone was there.

It's for convenience. Imagine if you could only check your bank account by going to the bank in person—that would be really inconvenient. Putting security tools on the internet lets people manage them from anywhere, which is really helpful. But it also means bad guys can try to break in from anywhere too. Companies have to balance convenience with safety.

References

[1] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/

[2] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026. [Online]. Available: https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4

[3] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[4] Bishop Fox, "CVE-2026-21643: Pre-Authentication SQL Injection in FortiClient EMS 7.4.4," March 2026.

[5] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

[6] Defused Cyber, LinkedIn Update, March 30, 2026. [Online]. Available: https://www.linkedin.com/feed/update/urn:li:activity:7443678408401756160/

[7] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation