Threat actors have started exploiting a critical-severity vulnerability in Fortinet FortiClient EMS, threat intelligence firm Defused Cyber warns.
A centralized management server, FortiClient EMS allows organizations to deploy, configure, and monitor FortiClient endpoints across their environments. It also supports multi-tenant deployments, enabling the management of multiple customer sites from a single instance.
Tracked as CVE-2026-21643, the now-exploited bug is described as an SQL injection issue that can be exploited remotely, without authentication, via specially crafted HTTP requests.
Successful exploitation of the flaw, Fortinet notes in its advisory, could lead to arbitrary code or command execution.
The security defect impacts FortiClient EMS version 7.4.4 and was patched in early February in version 7.4.5. According to Fortinet, the vulnerability was discovered internally.
One month after public disclosure, cybersecurity firm Bishop Fox published technical information on the bug, warning that it was practical to exploit.
“Our analysis shows attackers can abuse the publicly accessible /api/v1/init_consts endpoint to trigger the SQL injection before authentication. Because this endpoint returns database error messages and has no lockout protections, attackers can rapidly extract sensitive data from vulnerable FortiClient EMS 7.4.4 multi-tenant deployments,” Bishop Fox warned.
The issue, the cybersecurity company said, was introduced in version 7.4.4 through a redesigned middleware stack and database connection layer that resulted in HTTP identification headers being passed to a database query without sanitization, before authentication.
This enables an attacker to execute arbitrary SQL code against the database and access admin credentials, endpoint inventory, security policies, and endpoint certificates.
Proof-of-concept (PoC) code targeting the vulnerability has been published online.
Over the weekend, Defused warned that CVE-2026-21643 had been exploited for at least four days and that roughly 1,000 FortiClient EMS deployments are exposed to the internet. As of March 30, The Shadowserver Foundation tracks over 2,000 internet-accessible instances.
It is unclear how many of the exposed deployments are vulnerable, and Fortinet has yet to update its advisory to flag the bug as exploited.
SecurityWeek has emailed Fortinet for a statement on the flaw’s exploitation and will update this article if the company responds.
Related: StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs
Related: Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit
Related: Exploitation of Fresh Citrix NetScaler Vulnerability Begins
Related: F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild
