Attackers are now actively exploiting a critical vulnerability in Fortinet’s FortiClient EMS platform, according to threat intelligence company Defused.
Tracked as CVE-2026-21643, this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data,” Defused warned over the weekend.
“Attackers can smuggle SQL statements through the ‘Site’-header inside an HTTP request. According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
Fortinet has yet to update its security advisory and flag the vulnerability as exploited in the wild. BleepingComputer reached out to a Fortinet spokesperson to confirm reports of active exploitation, but a response was not immediately available.
Internet security watchdog group Shadowserver is currently tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
A separate Shodan search shows more than FortiClient EMS, with most exposed instances in the United States.
Fortinet vulnerabilities are frequently exploited to breach corporate networks in ransomware attacks and cyber espionage campaigns (often as zero-day bugs while patches are still pending).
Most recently, Fortinet mitigated CVE-2026-24858 zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.
Two years ago, in March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers.
In total, CISA has flagged 24 Citrix vulnerabilities as actively exploited, 13 of which were used in ransomware attacks.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
