Endpoint Exposed: Critical FortiClient EMS Flaw (CVSS 9.1) Allows Unauthenticated RCE
Ddos 
Fortinet has issued a high-priority security advisory for its FortiClient Enterprise Management Server (EMS), warning of a critical SQL injection vulnerability that could allow attackers to execute arbitrary code without ever logging in. Tracked as CVE-2026-21643, the flaw carries a severe CVSS score of 9.1, making it a top priority for administrators managing endpoint security.
The vulnerability strikes at the administrative heart of the software, which is used by organizations to manage and deploy endpoint protection across their networks. By exploiting this flaw, a remote attacker could potentially take full control of the management server, turning a defensive tool into a beachhead for compromise.
The core of the issue lies in how the application handles incoming database queries. Specifically, the system fails to properly sanitize user input, leaving the door open for SQL Injection (SQLi).
The advisory explains the technical breakdown: “An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests”.
In simple terms, an attacker can send a manipulated web request to the server that tricks the database into running malicious commands. Because the vulnerability is “unauthenticated,” the attacker does not need to steal a password or phish an employee to launch the attackβthey just need access to the web interface.
The vulnerability is specific to a narrow slice of the FortiClientEMS ecosystem, but for those affected, the risk is acute.
- FortiClientEMS 7.4: Version 7.4.4 is explicitly listed as affected.
- FortiClientEMS 8.0: This branch is “Not affected”.
- FortiClientEMS 7.2: This branch is also “Not affected”.
Fortinet has released a fix and is urging customers on the affected version to upgrade immediately.
- The Fix: Administrators running version 7.4.4 must “Upgrade to 7.4.5 or above” to close the security hole.
With a CVSS score of 9.1, this vulnerability sits near the top of the severity scale. Organizations using FortiClientEMS to manage their endpoint security should verify their version numbers today and apply the patch to prevent unauthorized code execution on their management infrastructure.
Related Posts:
- CVE-2023-48788 Exploited: Researcher Details Cyberattacks on Fortinet EMS
- Critical Fortinet Vulnerability Exploited: Hackers Deploy Remote Control Tools and Backdoors
- PoC Exploit Released for Critical Fortinet FortiClient EMS CVE-2023-48788 Flaw
- Kaspersky Uncovers Active Exploitation of Fortinet Vulnerability CVE-2023-48788
- “Connect:fun” Campaign Targets Media Organizations, Exploits Critical Fortinet Vulnerability
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
