Shortly after our recent coverage of high-impact FortiOS SSO zero-day exploitation (CVE-2026-24858), defenders are facing another urgent patching priority in the Fortinet ecosystem. On February 6, Fortinet released a fix for a critical SQL injection flaw that can be triggered remotely and doesn’t require authentication, potentially leading to unauthorized code or command execution.
Although there are currently no signs of exploitation in the wild, CVE-2026-21643 requires immediate attention and patching as SQL injection remains one of the most dangerous web vulnerability classes. OWASP Top 10 2025 links Injection to 62,445 known CVEs, including more than 14,000 SQL injection issues. The risk is straightforward. If an application lets untrusted input reach the database interpreter, an attacker can make the database run unintended commands, steal or change data, and, in some cases, escalate to full system compromise.
Sign up for the SOC Prime Platform to access real-time detection intelligence and ready-to-go use cases for emerging risks like vulnerability exploitation. Click Explore Detections to view the full collection of rules filtered by the “CVE” tag.
All rules are compatible with multiple SIEM, EDR, and Data Lake platforms and are mapped to the MITRE ATT&CK® framework. Each rule includes CTI links, attack timelines, audit settings, triage guidance, and more relevant metadata.
Cyber defenders can also use Uncoder AI to empower their detection engineering workflows. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.
CVE-2026-21643 Analysis
On February 6, 2026, Fortinet released an advisory describing CVE-2026-21643 as an improper neutralization of special elements used in an SQL Command (SQL Injection) in FortiClient EMS, where a remote attacker can send specially crafted HTTP requests to trigger the flaw. Because the issue is pre-auth, an exposed or reachable EMS administrative interface becomes a high-value target for initial access, potentially leading to rapid foothold establishment, follow-on tooling, and lateral movement from a system that often has broad visibility into endpoints.
CVE-2026-21643 obtains a critical CVSS score of 9.8, highlighting the urgent need for patching. The good news for defenders is that the scope is clear. Fortinet’s advisory highlights that only FortiClientEMS 7.4.4 is affected and that upgrading to 7.4.5 or later addresses the issue, while 7.2 and 8.0 are not impacted.
Enhancing proactive cybersecurity strategies is crucial for reducing exploitation risk. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform for enterprise-grade cyber defense, organizations can scale detection operations and strengthen their security posture. Register now to improve visibility into threats most relevant to your business and to accelerate response when new critical threats like CVE-2026-21643 appear.
FAQ
What is CVE-2026-21643 and how does it work?
CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClientEMS 7.4.4. The issue is caused by improper handling of special characters in SQL commands, so a remote attacker can send specially crafted HTTP requests and potentially execute unauthorized code or commands.
When was CVE-2026-21643 first discovered?
Fortinet has released an advisory describing CVE-2026-21643 on February 6, 2026, which is also the day when the vulnerability was recorded by NVD. Gwendal Guégniaud from the Fortinet Product Security team has been credited for discovering and reporting the flaw.
Which risks does CVE-2026-21643 pose to systems?
The main risk is remote compromise of the FortiClient EMS server. If a vulnerable EMS instance is reachable, an attacker can abuse the SQL injection through crafted HTTP requests to run unauthorized actions and potentially escalate to code or command execution. This can lead to data access or tampering, service disruption, and a foothold that can be used to pivot deeper into the environment.
Can CVE-2026-21643 still affect me in 2026?
Yes, if you are running FortiClient EMS 7.4.4 and have not applied the fix. Fortinet states the issue is resolved in 7.4.5 and later, and notes that 7.2 and 8.0 are not affected.
How can you protect against CVE-2026-21643?
Upgrade FortiClient EMS to 7.4.5 or later and limit access to the EMS web interface to trusted admin networks only. Until patching is complete, increase monitoring on the EMS host and its web traffic for unusual requests and unexpected process activity.
The post CVE-2026-21643: Critical FortiClient EMS Vulnerability Enables Unauthenticated Remote Code Execution appeared first on SOC Prime.