Fortinet Patches Critical SQLi-to-RCE Flaw in FortiClientEMS

Fortinet released a critical patch for FortiClient EMS, fixing a SQL injection vulnerability that attackers can chain with command execution to fully compromise systems without authentication. CVE-2026-21643 carries a CVSS score of 9.8—one of the most severe vulnerabilities disclosed in Fortinet products this year.

FortiClient EMS is the endpoint management server that organizations use to deploy, configure, and monitor FortiClient installations across their networks. Compromising it gives attackers a foothold in security infrastructure with visibility into—and potentially control over—managed endpoints.

Vulnerability Details

The flaw exists in FortiClientEMS's web interface and stems from improper neutralization of special elements in SQL commands. An unauthenticated remote attacker can send specially crafted requests to the web GUI that execute arbitrary SQL queries against the backend database.

But the vulnerability goes beyond data theft. Arctic Wolf's analysis confirmed that attackers can chain the SQL injection with command execution capabilities, transforming a database vulnerability into full system compromise. Successful exploitation allows:

• Creating or modifying administrative accounts
• Injecting malicious payloads
• Executing arbitrary commands on the host operating system
• Establishing persistent access for follow-on attacks

This attack pattern—SQLi chaining to RCE—isn't new, but it's particularly dangerous in management software where the compromised system has legitimate access to other resources.

Affected Versions

Fortinet's advisory confirms FortiClient EMS 7.4.4 is vulnerable. The fix ships in version 7.4.5 and later. Versions 7.2 and 8.0 are not affected.

Organizations running the vulnerable version should upgrade immediately. SOC Prime's coverage notes no active exploitation has been detected yet, but that status typically changes quickly once technical details circulate.

Fortinet's Recurring Challenges

This isn't Fortinet's first critical vulnerability in recent months. We've tracked multiple high-severity flaws in Fortinet products including the FortiGate authentication bypass that attackers exploited before patches were available, and the Brutus brute-force tool circulating on dark web forums that specifically targets Fortinet infrastructure.

Fortinet devices sit at network perimeters—exactly where attackers focus exploitation efforts. A compromised FortiGate firewall or FortiClientEMS server provides initial access into otherwise protected networks. State-sponsored groups and ransomware operators both prioritize these targets.

Mitigation Steps

1. Upgrade to FortiClient EMS 7.4.5 or later immediately
2. Restrict access to the EMS web interface to trusted administrative networks only—don't expose it to the internet
3. Review EMS logs for unusual authentication attempts or database queries
4. Audit administrative accounts for unauthorized additions or modifications
5. Monitor downstream FortiClient deployments for policy changes or suspicious activity

If you can't patch immediately, network segmentation provides partial mitigation. Limiting which systems can reach the EMS web interface reduces the attack surface, though it doesn't eliminate the vulnerability.

Timeline Pressure

The typical window between vulnerability disclosure and active exploitation has compressed dramatically. APT28 weaponized the Microsoft Office zero-day within 72 hours of Microsoft's January disclosure. CISA's KEV catalog updates increasingly include vulnerabilities with confirmed pre-disclosure exploitation.

For critical infrastructure software like FortiClient EMS, assume threat actors are already analyzing the patch to develop exploits. Organizations with exposed instances face the highest risk. Those with proper network segmentation have more time, but still need to prioritize patching.

FortiClient EMS 7.4.5 is available now. The question isn't whether to patch—it's how quickly you can schedule the upgrade.