Fortinet addresses a critical SQL injection flaw (CVE-2026-21643) allowing unauthenticated attackers to execute arbitrary code on vulnerable FortiClientEMS systems.
Fortinet has released emergency patches for a critical SQL injection vulnerability in its FortiClient Endpoint Management Server (EMS) platform that enables unauthenticated attackers to execute arbitrary system commands. Tracked as CVE-2026-21643 with a CVSS score of 9.1 out of 10, this security flaw poses significant risks to organizations using affected versions of the network security software.
According to Fortinet's security advisory, the vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89). This allows attackers to craft malicious HTTP requests that bypass authentication controls and execute unauthorized code on vulnerable systems. Gwendal Guégniaud of Fortinet's Product Security team discovered and reported the flaw.
The vulnerability specifically impacts:
- FortiClientEMS 7.4.4 (requires upgrade to 7.4.5 or later)
Notably, FortiClientEMS versions 7.2 and 8.0 remain unaffected. Organizations using the vulnerable version should immediately upgrade to FortiClientEMS 7.4.5 or later through Fortinet's support portal.
This disclosure follows Fortinet's recent patch for CVE-2026-24858 (CVSS 9.4), a critical authentication bypass vulnerability affecting FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb products. Unlike the SQLi vulnerability, Fortinet confirmed active exploitation of CVE-2026-24858 in the wild, with threat actors creating unauthorized admin accounts, modifying VPN configurations, and exfiltrating firewall settings.
Security practitioners should implement these protective measures:
- Immediately patch all affected FortiClientEMS installations to version 7.4.5+
- Audit authentication logs for suspicious activity, especially unexpected SQL queries
- Implement web application firewalls to filter malicious HTTP requests
- Restrict network access to FortiClientEMS management interfaces using firewall policies
- Monitor for unexpected system changes or new administrative accounts
While there's no evidence of CVE-2026-21643 being exploited in active attacks, the combination of unauthenticated access and remote code execution capabilities makes prompt patching essential. Fortinet's advisory emphasizes that organizations using cloud SSO authentication should also review their FortiCloud account configurations to prevent unauthorized cross-account access.
For technical details and patching resources, refer to Fortinet's official CVE-2026-21643 advisory and security update guide.
Comments
Please log in or register to join the discussion