SQL Injection Vulnerability in Fortinet FortiClientEMS Product
CVE-2026-21643

9.1CRITICAL

Key Information:

Vendor

Fortinet
Status
Forticlientems
Vendor
CVE Published:
6 February 2026

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 4,110πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 43%πŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2026-21643?

CVE-2026-21643 is a significant SQL injection vulnerability found in Fortinet's FortiClientEMS product version 7.4.4. FortiClientEMS is a management solution that provides endpoint security, allowing organizations to manage and monitor their endpoints effectively, ensuring they are secure against various threats. The vulnerability arises from an improper handling of special elements within SQL commands, which can be exploited by an unauthenticated attacker. This flaw allows the attacker to execute unauthorized SQL commands through specially crafted HTTP requests, leading to potential compromise of the database and associated sensitive information. The consequence of such exploitation can severely undermine the integrity and confidentiality of the organization's data and systems.

Potential impact of CVE-2026-21643

  1. Unauthorized Code Execution: The vulnerability enables attackers to execute arbitrary SQL commands without authentication, which can lead to full control over the database or even the server environment. This can result in unauthorized access to sensitive data, or manipulation and deletion of critical records.

  2. Data Breach Risks: Exploiting this vulnerability could expose confidential information stored within the managed endpoints, including personal and financial data, intellectual property, and more. This could lead to significant legal and reputational ramifications for organizations affected by data breaches.

  3. Increased Attack Surface: As this SQL injection vulnerability can be exploited remotely and without authentication, it presents a low-barrier entry point for malicious actors. Successful exploitation may facilitate further attacks, allowing threat actors to escalate privileges or deploy additional malware, posing a long-term risk to the organization's cybersecurity posture.

CISA has reported CVE-2026-21643

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-21643 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

FortiClientEMS 7.4.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-21643
Created by alirezac0

CVE-2026-21643
Created by 0xBlackash

News Articles

favicon imageThe Hacker News

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

CISA adds six exploited vulnerabilities, including Fortinet and Exchange flaws, requiring FCEB patching by April 27, 2026.

2 weeks ago

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

EPSS Score

43% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by The Hacker News

  • πŸ¦…

    CISA Reported

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.