CVE-2026-21643
Description
CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient EMS 7.4.4 allowing unauthenticated RCE. Immediate patching is required.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| forticlientems | 7.4.4 | 7.4.4 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Immediately consult the Fortinet PSIRT advisory FG-IR-25-1142 and apply the recommended firmware updates or hotfixes provided by Fortinet to address the SQL injection flaw.
Update affected systems
Ensure that FortiClient EMS installations running version 7.4.4 are upgraded to a patched version as specified in the vendor's release notes to eliminate the vulnerability.
Restrict access
Limit access to the FortiClient EMS administrative interface and HTTP/HTTPS ports to trusted internal IP addresses only, using firewalls or access control lists (ACLs) to reduce the attack surface.
Monitor for exploitation
Review web server logs for suspicious SQL syntax or unusual HTTP requests targeting the EMS server, and monitor for unexpected process executions or outbound connections from the EMS host.
Detection Guidance
Organizations should monitor HTTP traffic for common SQL injection patterns (e.g., single quotes, semicolons, or UNION SELECT statements) targeting the FortiClient EMS management port. Inspect web server logs for 400 or 500-level errors associated with malformed requests. Additionally, use EDR tools to detect anomalous child processes spawned by the EMS service or unexpected database queries that deviate from established baselines.