Critical SQL Injection in FortiClientEMS: CVE-2026-21643

Critical SQL Injection in FortiClientEMS: CVE-2026-21643

1

CVE-2026-21643 is a critical SQL injection vulnerability affecting Fortinet FortiClientEMS version 7.4.4, enabling unauthenticated attackers to execute arbitrary code via crafted HTTP requests to the administrative interface.

Vulnerability Overview

This flaw arises from improper neutralization of special elements in SQL commands (CWE-89), allowing remote exploitation without privileges. The CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity across confidentiality, integrity, and availability.

Affected component: FortiClientEMS 7.4.4 administrative GUI (CPE: cpe:2.3:a:fortinet:forticlientems:7.4.4). No authentication is required, making it highly exploitable over the network.

Timeline and Disclosure

  • Reserved: January 2, 2026
  • Published: February 6, 2026
  • Last Modified: February 11, 2026 (as of current data)

Fortinet’s advisory FG-IR-25-1142 details the issue, with NCIIPC India flagging it as critical for OEM checks.

Exploitation and Threats

EPSS score stands at 0.13%, indicating low immediate probability but significant risk due to ease of attack. Linked threat actors include Lazarus Group and APT28; ransomware groups like LockBit 3.0 and BlackCat are noted in related intelligence, with 14 IPs and 3 hashes as IOCs.

Public exploits may emerge given the unauthenticated nature; monitor for suspicious HTTP requests targeting the EMS interface.

Mitigation Steps

  • Immediate Patch: Upgrade to FortiClientEMS 7.4.5, 7.6.x, or 8.0.0+ where available.
  • Network Controls: Restrict administrative interface access via firewalls; segment EMS servers.
  • Monitoring: Deploy WAF rules for SQLi detection; log anomalous HTTP traffic.
  • No Workaround: Vendor provides none; patching is essential.

Recommendations for Enterprises

Prioritize scanning with tools like Qualys or Tenable for exposed FortiClientEMS instances. Given your vulnerability management focus, integrate this into CISA KEV monitoring and patch workflows. Track Fortiguard for updates, as fixes rolled out February 6, 2026.

Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.