A critical pre-authentication SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) version 7.4.4 is under active exploitation, and the CISA remediation deadline hits tomorrow, April 16, 2026. If you manage FortiClient endpoints and haven’t patched yet, stop reading and go upgrade.

What Happened

On April 13, 2026, CISA added CVE-2026-21643 to its Known Exploited Vulnerabilities (KEV) catalog alongside five other flaws affecting Fortinet, Microsoft, and Adobe products. The FortiClient EMS bug carries a CVSS score of 9.1 and requires no authentication to exploit β€” an unauthenticated remote attacker can execute arbitrary code or administrative commands via crafted HTTP requests.

Fortinet’s own Product Security team (Gwendal GuΓ©gniaud) originally discovered and reported the issue, tracked under advisory FG-IR-25-1142. Fortinet published the advisory on February 6, 2026, but exploitation in the wild has been observed since at least March 24, 2026, according to researchers at Defused Cyber.

Technical Details

The root cause is a textbook blunder in the database connection layer. In FortiClient EMS version 7.4.4, a code change replaced parameterized query handling with raw string interpolation in the DAS (Data Access Server) component. This introduced a pre-authentication SQL injection vector that gives attackers full read/write access to the EMS management database.

  • CVE: CVE-2026-21643
  • CVSS 3.1: 9.1 (Critical)
  • CWE: CWE-89 β€” Improper Neutralization of Special Elements used in an SQL Command
  • Advisory: FG-IR-25-1142
  • Attack Vector: Network (no authentication required)
  • Attack Complexity: Low
  • Affected: FortiClient EMS 7.4.4
  • Not Affected: FortiEMS Cloud (confirmed removed from affected list)

Once an attacker successfully injects SQL commands through the administrative interface, they can:

  1. Dump the management database β€” endpoint inventory, configuration policies, deployment credentials
  2. Modify configuration β€” push malicious policies to managed endpoints
  3. Deploy secondary payloads β€” leverage EMS as a distribution point across the managed fleet
  4. Pivot laterally β€” EMS typically has network visibility to every managed endpoint

This is particularly dangerous because FortiClient EMS is, by design, a central management server with broad network access to every endpoint it manages. Compromising EMS is effectively compromising your entire endpoint fleet.

Who’s Affected

Any organization running FortiClient EMS 7.4.4 on-premises. Version 7.4.4 was released in late 2025, so organizations that upgraded during that cycle and haven’t patched since are in the blast radius.

FortiEMS Cloud customers are not affected β€” Fortinet explicitly removed it from the affected products list.

Federal Civilian Executive Branch (FCEB) agencies are under a binding operational directive to remediate by April 16, 2026. Everyone else should treat that deadline as their own.

Mitigation

Patch immediately. Upgrade FortiClient EMS from 7.4.4 to 7.4.5 or later. This is the only complete fix.

If you cannot patch immediately:

  1. Restrict network access to the EMS administrative interface. It should not be exposed to the internet or untrusted network segments.
  2. Monitor for exploitation β€” look for anomalous SQL query patterns or unexpected database access in EMS logs. Exploitation has been observed in the wild since March 24.
  3. Audit your EMS database for unauthorized modifications to endpoint policies or configuration.
  4. Check for indicators of compromise β€” secondary payloads, unexpected outbound connections from the EMS server, or modified deployment packages.
  5. Rotate credentials stored in or managed by FortiClient EMS after patching.

The Bigger Picture

This is the second critical FortiClient EMS vulnerability to hit the KEV catalog in recent months (following CVE-2026-35616, a zero-day API authentication bypass). Fortinet endpoint management infrastructure continues to be a high-value target, and the pattern of pre-auth vulns in EMS suggests the codebase needs deeper security review.

The other five CVEs added to the KEV catalog in the same batch include flaws in Microsoft Exchange Server (CVE-2023-21529), Windows CLFS Driver (CVE-2023-36424), and Adobe Acrobat Reader (CVE-2020-9715) β€” all now confirmed under active exploitation.

References