Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in.
Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).
The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
The company did not disclose whether the vulnerability is currently being actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FortiClientEMS)
