Fortinet has issued urgent security guidance following the active exploitation of a critical SQL injection vulnerability affecting FortiClient Enterprise Management Server (EMS). The flaw allows unauthenticated attackers to achieve remote code execution through specially crafted HTTP requests sent to the EMS web interface. Security researchers have confirmed real-world attacks targeting exposed EMS instances, with thousands of vulnerable servers currently accessible on the public internet. Read this Cybersecurity Threat Advisory to reduce exposure and learn how to mitigate risk now.
What is the threat?
CVE‑2026‑21643 is a critical SQL injection vulnerability with a CVSS of 9.1. This vulnerability is found in the FortiClient EMS administrative interface. Successful exploitation allows attackers to:
- Execute arbitrary SQL commands against the EMS backend database
- Escalate privileges and gain administrative control
- Achieve remote code execution on the EMS host
- Access sensitive data, including endpoint inventories, credentials, and certificates
Key characteristics of the vulnerability include:
- Unauthenticated exploitation, meaning no valid credentials are required
- Exploitation via crafted HTTP requests sent directly to the EMS graphical interface
Why is it noteworthy?
This activity is significant for several reasons:
- Active exploitation has been confirmed by multiple threat intelligence sources, with attacks observed days before public disclosure
- Widespread internet exposure, with Shadowserver tracking more than 2,000 internet-facing EMS instances and Shodan identifying nearly 1,000 publicly accessible systems
- High-impact access, as unauthenticated remote code execution on a centralized security management platform enables lateral movement, policy manipulation, and widespread compromise
- Rapid weaponization, indicating threat actors are actively scanning for and exploiting vulnerable EMS deployments
What is the exposure or risk?
Organizations are at heightened risk if they meet any of the following conditions:
- Running FortiClient EMS version 7.4.4 or earlier unpatched 7.4.x builds
- Operating EMS servers exposed to the public internet
- Relying on EMS for endpoint security, VPN access, or certificate management
Exploitation could result in full compromise of endpoint management infrastructure and downstream systems.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Upgrade FortiClient EMS from version 7.4.4 to version 7.4.5 or later
- Monitor for indicators of compromise (IOCs), including unusual HTTP requests targeting the EMS web interface
- Harden EMS deployments by enforcing strong authentication controls and enabling multi-factor authentication (MFA) for administrative access
References
For more in-depth information about the recommendations, please visit the following links:
- Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution
- Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643) – Help Net Security
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
