Advisory : FortiClient EMS Vulnerability CVE‑2026‑21643: Critical SQL Injection Risk

On February 6, 2026, Fortinet disclosed a severe security flaw in FortiClient EMS (Endpoint Management Server), tracked as CVE‑2026‑21643. This vulnerability carries a CVSS score of 9.1/10, marking it as critical and putting organizations at high risk of remote code execution attacks.

What Is CVE‑2026‑21643?

• Type: SQL Injection in the FortiClient EMS administrative interface
• Severity: Critical (CVSS 9.1/10)
• Affected Version: FortiClient EMS 7.4.4
• Safe Versions: FortiClient EMS 7.2, 8.0, and FortiEMS Cloud

At its core, CVE‑2026‑21643 is an SQL injection vulnerability. The admin interface fails to properly sanitize special characters in SQL queries, allowing attackers to inject malicious code. Unlike many flaws, this one requires no authentication—attackers can exploit it remotely by sending crafted HTTP requests to vulnerable servers.

Why It’s So Dangerous

• No login credentials needed: Exploitable without authentication.
• Remote attack surface: Accessible over the network.
• Full system compromise: Successful exploitation enables unauthorized code execution, data theft, malware deployment, and lateral movement across networks.
• High‑impact environment: FortiClient EMS manages thousands of endpoints, making compromise catastrophic.

Fortinet’s Response

Fortinet acted quickly, releasing FortiClient EMS version 7.4.5 to patch the flaw. The vulnerability was discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team and documented in FortiGuard advisory FG‑IR‑25‑1142.