Summary

CVE-2026-21643 is a critical unauthenticated SQL injection vulnerability affecting Fortinet FortiClient Endpoint Management Server (EMS) version 7.4.4. This vulnerability is currently under active exploitation in the wild, with the CrowdSec Network observing 51 distinct attacking IPs between 20 April 2026 and 27 April 2026. Fortinet published the advisory on 6 February 2026, and CISA subsequently added the issue to its Known Exploited Vulnerabilities catalog on 13 April 2026. The vulnerability poses significant risk as it targets a core administrative system used to centrally manage endpoint protection, VPN profiles, compliance policies, and device posture at scale. Successful exploitation grants attackers access to systems controlling user devices and security configurations.

Affected Systems and/or Applications

VersionAffectedSolutionFortiClientEMS 8.0Not affectedNot ApplicableFortiClientEMS 7.47.4.4Upgrade to 7.4.5 or above (7.4.7 recommended - see Mitigation)FortiClientEMS 7.2Not affectedNot Applicable

Technical Details

The vulnerability is an unauthenticated SQL injection flaw located in the FortiClient EMS administrative interface. Attackers can exploit this vulnerability by sending crafted HTTP requests to the /api/v1/init_consts endpoint, injecting malicious SQL payloads through the Site HTTP header.

The vulnerable input is passed to the backend database without proper sanitization, enabling attackers to: - Trigger database errors to confirm target vulnerability - Extract or manipulate stored data within the database - Potentially chain the vulnerability into unauthorized code or command execution, depending on database capabilities and server configuration

Public exploit material has been released, demonstrating the attack path and lowering the barrier for exploitation.

Mitigation

Immediate Actions:

1. Patching - Organizations running version 7.4.4 should treat this as an urgent patching priority. Upgrade FortiClient EMS to version 7.4.5 or above: ideally version 7.4.7, as the two intervening versions are affected by another critical vulnerability, CVE-2026-35616, disclosed in early April.
2. Network Segmentation - If immediate patching is not feasible, restrict access to the EMS administrative interface:
   • Remove exposure to the open internet
   • Implement VPN-only access or identity-aware proxy
   • Deploy tightly controlled IP allowlists
3. Web Application Firewall (WAF) - Deploy a WAF in front of the application configured to inspect requests to /api/v1/init_consts, specifically examining the Site header for anomalous values.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.

References

• https://www.crowdsec.net/vulntracking-report/cve-2026-21643-forticlient-ems-sql-injection-exploitation
• https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
• https://kudelskisecurity.com/research/critical-vulnerability-in-fortinet-forticlient-ems

‍