Critical FortiClient EMS Vulnerability Allows Remote Malicious Code Execution

A critical security flaw in Fortinet’s FortiClient EMS (Endpoint Management Server) puts organizations at high risk of remote code execution attacks.

Tracked as CVE-2026-21643, this vulnerability was disclosed on February 6, 2026, earning a severe CVSS score of 9.1 out of 10.

At its core, the issue is an SQL injection (SQLi) vulnerability in the FortiClient EMS administrative interface.

SQL injection happens when attackers sneak malicious code into database queries through unsecured input fields.

Here, the software doesn’t properly sanitize special characters in SQL commands, letting attackers hijack the database.

Data Point	Details
CVE ID	CVE-2026-21643
Product	FortiClient EMS
Vulnerability Type	SQL Injection in Admin Interface
Severity	Critical
CVSS Score	9.1/10

What makes CVE-2026-21643 especially alarming? It requires no authentication. Attackers can exploit it remotely over the network by sending crafted HTTP requests to vulnerable servers, no login credentials or physical access needed.

Success means they can run unauthorized code, fully compromising the system. This opens doors to stealing sensitive data, deploying malware, or pivoting to other network targets.

The flaw hits FortiClient EMS version 7.4.4 hard. Versions 7.2 and 8.0 escape unscathed, as do FortiEMS Cloud users.

Fortinet acted fast, releasing version 7.4.5 to fix the hole. If you’re on 7.4.4, upgrade now to 7.4.5 or later.

Gwendal Guégniaud from Fortinet’s Product Security team found the bug internally, as detailed in FortiGuard advisory FG-IR-25-1142. The quick jump from discovery to patch shows how seriously they take it.

Mitigation Steps

Admins, act urgently:

1. Scan your network for FortiClient EMS 7.4.4 instances.
2. Schedule upgrades during low-traffic windows.
3. Test patches in staging before full rollout.
4. Watch logs for odd HTTP requests to the admin interface, signs of probes.
5. Limit admin interface exposure; use firewalls to block unauthenticated access.

This vulnerability underscores a key lesson: even trusted endpoint tools need constant vigilance. SQLi flaws like this have plagued software for years, from early web apps to modern enterprise gear. Proactive patching and monitoring keep attackers at bay.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical FortiClient EMS Vulnerability Allows Remote Malicious Code Execution appeared first on Cyber Security News.