Ethical Hacking News
Fortinet Forticlient EMS has been hit with a new high-severity vulnerability (CVE-2026-21643) that allows unauthenticated attackers to execute arbitrary code via HTTP requests, leaving thousands of exposed systems vulnerable to exploitation.
A critical SQL injection flaw (CVE-2026-21643) exists in Fortinet FortiClient EMS platform, allowing unauthenticated attackers to execute arbitrary code. The vulnerability affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later. Attackers have already begun exploiting this vulnerability, with over 1,000 instances of Forticlient EMS being publicly exposed. The vulnerability highlights the importance of staying up-to-date with software updates and patches. CISA has flagged 24 Fortinet vulnerabilities as actively exploited, including ransomware attacks.
In a significant cybersecurity update, threat intelligence company Defused has revealed that a critical vulnerability exists within the Fortinet FortiClient EMS platform. This SQL injection flaw (CVE-2026-21643) allows unauthenticated attackers to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests.
The vulnerability was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team and affects FortiClient EMS version 7.4.4. It can be patched by upgrading to version 7.4.5 or later, according to Defused. However, it's worth noting that Fortinet has yet to update its security advisory, leaving some users vulnerable to exploitation.
Attackers have already begun exploiting this vulnerability, with close to 1,000 instances of Forticlient EMS being publicly exposed. The threat posed by this flaw highlights the importance of staying up-to-date with software updates and patches.
According to Defused, attackers can smuggle SQL statements through the 'Site'-header inside an HTTP request, providing them with a means to access and manipulate sensitive data on vulnerable systems. Internet security watchdog group Shadowserver is currently tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and Europe.
The vulnerability is particularly concerning as it follows recent instances of Fortinet vulnerabilities being exploited in ransomware attacks and cyber espionage campaigns. It also echoes a similar vulnerability discovered two years ago by CISA, which was also used by Salt Typhoon to breach telecommunications service providers.
CISA has flagged 24 Fortinet vulnerabilities as actively exploited, with 13 of these being used in ransomware attacks alone. The agency ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers.
This new high-severity vulnerability underscores the need for organizations to prioritize software updates and security patches. Without timely patches, they risk leaving their systems vulnerable to exploitation by attackers. In this instance, users are advised to upgrade to version 7.4.5 or later to patch this critical vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Forticlient-EMS-Flaw-A-New-High-Severity-Vulnerability-Brings-Immediate-Exploitation-ehn.shtml
https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2026-21643
https://www.cvedetails.com/cve/CVE-2026-21643/
Published: Mon Mar 30 04:51:10 2026 by llama3.2 3B Q4_K_M
