CVE-2026-21643 – Fortinet FortiClientEMS SQL Injection Vulnerability

Fortinet released a security update addressing CVE-2026-21643, a critical SQL injection vulnerability affecting FortiClientEMS version 7.4.4. The issue stems from improper neutralization of special elements in SQL commands within the web interface. A remote attacker can send crafted HTTP requests to execute unauthorized SQL queries, potentially leading to remote code execution on the underlying system.

This vulnerability carries a CVSS 3.1 score of 9.1 (Critical). The attack requires no authentication and can be executed over the network, creating a serious risk to confidentiality, integrity, and availability. Because FortiClientEMS centrally manages endpoints, a successful compromise could allow attackers to manipulate endpoint policies, deploy malicious payloads, disrupt security controls, or move laterally within the enterprise environment.

Fortinet confirmed that only version 7.4.4 is affected. Updating to version 7.4.5 or later resolves the issue. At the time of disclosure, there were no confirmed reports of active exploitation or publicly released proof-of-concept code.