Critical SQL Injection Flaw in FortiClient EMS Exploited as Fortinet Faces Growing Wave of Targeted Attacks

A critical SQL injection flaw in FortiClient EMS is being exploited in the wild, allowing unauthenticated attackers to execute code and steal sensitive data.

By: AXL Media

Published: Apr 2, 2026, 5:49 AM EDT

Source: Information for this report was sourced from CSO Online.

The Persistent Threat of SQL Injection Vulnerabilities

Despite being one of the oldest and most documented classes of application security risks, SQL injection remains a potent weapon in the modern attacker’s arsenal. The latest critical flaw to hit Fortinet, identified as CVE-2026-21643, involves the "improper neutralization of special elements" within SQL commands. This allows an unauthenticated attacker to send a specifically crafted HTTP request to the FortiClient Endpoint Management Server (EMS), gaining the ability to execute arbitrary code. Security experts note with concern that this is the seventh such vulnerability discovered in Fortinet’s portfolio over the last twelve months, suggesting a systemic struggle to eliminate this specific class of software bugs from the company’s codebase.

A Low-Complexity Gateway to Sensitive Data

The technical deep dive into the vulnerability reveals a dangerously low barrier to entry for threat actors. According to researchers at Bishop Fox, an attacker requires no credentials to exploit the flaw; they simply need to reach the EMS web interface over HTTPS. Once a crafted header value is sent, the attacker can execute commands against the underlying PostgreSQL database. This provides nearly total visibility into the target’s security infrastructure, including administrator credentials, endpoint inventory data, and security certificates. The lack of lockout protections on these systems further enables attackers to rapidly extract large volumes of sensitive data without triggering standard defense mechanisms.

Geographic Exposure and the Scope of Risk

The scale of the potential impact is significant, with security watchdogs like the Shadowserver Foundation tracking over 2,400 FortiClient EMS instances currently exposed to the internet. The majority of these vulnerable systems are located in the United States and Europe. The flaw specifically impacts FortiClient EMS version 7.4.4 when multi-tenant mode is enabled, though single-site deployments are reportedly unaffected. Because the EMS serves as a centralized hub for managing security policies across thousands of corporate endpoints, a single compromise can grant a "breeze" of access for lateral movement within a corporate network, potentially leading to large-scale ransomware deployment.