Attackers Exploiting FortiClient EMS SQLi Flaw in the Wild

The grace period is over for FortiClient EMS administrators who delayed patching. Threat intelligence firm Defused confirmed that attackers began exploiting CVE-2026-21643 on or around March 26—six weeks after Fortinet released fixes for the critical SQL injection vulnerability.

We covered CVE-2026-21643 when Fortinet disclosed it in February. At that time, no active exploitation had been detected. That changed last week.

The CVSS 9.8 vulnerability allows unauthenticated attackers to execute arbitrary commands on FortiClient EMS servers through specially crafted HTTP requests. FortiClient EMS manages endpoint deployments across enterprise networks—compromising it gives attackers visibility into every managed endpoint and a foothold in security infrastructure.

How the Attack Works

The vulnerability exists in FortiClient EMS version 7.4.4's multi-tenant feature. Bishop Fox researchers detailed the technical root cause: the HTTP header identifying which tenant a request belongs to gets passed directly into a database query without sanitization. This happens before any authentication check.

The attack flow:

1. Attacker sends HTTP requests to the EMS administrative interface
2. Malicious SQL payload embedded in tenant identification header
3. Database executes injected commands
4. Attacker chains SQL injection with command execution

Successful exploitation grants access to administrative credentials, endpoint inventory data, security policies, and managed endpoint certificates. From there, attackers can modify endpoint configurations, push malicious updates, or use the compromised EMS as a launching point for lateral movement.

Attack Surface

Shodan scans reveal approximately 1,000 FortiClient EMS instances directly exposed to the public internet. That number represents only the most exposed configurations—many more instances sit behind corporate firewalls but remain accessible to attackers who've already gained network access through other means.

Multi-tenant deployments are specifically vulnerable. Single-site installations don't use the affected tenant identification mechanism and remain unaffected.

The combination of critical severity, clear exploitation path, and six-week patch availability made this an obvious target. Similar patterns emerged with F5 BIG-IP APM exploitation and Citrix NetScaler attacks—enterprise security appliances with known vulnerabilities get targeted aggressively once attackers develop reliable exploits.

Affected Versions and Remediation

Only FortiClient EMS 7.4.4 contains the vulnerability. Version 7.4.5 patches the flaw, and versions 7.2 and 8.0 were never affected.

Organizations running 7.4.4 with multi-tenant mode enabled must upgrade immediately. The six-week window between patch availability and confirmed exploitation was generous by modern standards—delays now mean playing catch-up against active attackers.

For organizations that somehow can't upgrade immediately, restricting network access to the EMS administrative interface provides partial mitigation. But this doesn't address insider threats or attackers who've already compromised other network resources.

Post-Exploitation Concerns

If your EMS was exposed before patching, assume compromise and investigate:

1. Review administrative access logs for unusual authentication or configuration changes
2. Audit endpoint policies for unauthorized modifications
3. Check for unexpected software deployments pushed through EMS
4. Rotate all EMS administrative credentials
5. Review managed endpoint certificates for tampering

Attackers targeting endpoint management infrastructure typically want persistent access. Compromising EMS lets them maintain footholds across managed devices even after the initial vulnerability is patched. Organizations dealing with phishing campaigns should also review our guide on recognizing phishing attempts as attackers often combine technical exploitation with social engineering.

Fortinet's Ongoing Security Challenges

This marks another entry in Fortinet's difficult year. We've tracked FortiGate authentication bypasses under active exploitation, Brutus brute-force tools targeting Fortinet infrastructure, and multiple other critical vulnerabilities across the product line.

The company's products sit at network perimeters where vulnerabilities have outsized impact. Attackers know this—Fortinet devices appear consistently in initial access campaigns from both criminal groups and state-sponsored operators.

Delayed patching of Fortinet products isn't a calculated risk anymore. It's an invitation for compromise. The exploitation of CVE-2026-21643 reinforces what security teams should already know: critical vulnerabilities in perimeter security products demand immediate response.