Critical Fortinet Forticlient EMS Vulnerability Exploited in Attacks

Home Cyber Security News Critical Fortinet Forticlient EMS Vulnerability Exploited in Attacks A critical SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-21643, is actively being exploited in the wild. Threat actors have been leveraging this flaw in attacks starting four days ago, despite it not yet appearing on the CISA Known Exploited Vulnerabilities catalog. The security flaw affects FortiClient EMS version 7.4.4, leaving systems vulnerable to unauthorized remote commands. Fortinet has assigned this issue a critical CVSS score of 9.1, reflecting its severe potential impact on enterprise environments. The structured details of the vulnerability are outlined below to assist security teams with rapid threat classification. FortiClient EMS Vulnerability Exploited Recent Defused Cyber telemetry confirms that exploitation campaigns targeting internet-facing servers have successfully commenced. According to Shodan data, nearly 1,000 instances of FortiClient EMS are currently publicly exposed, providing a substantial attack surface for threat actors. In observed attacks, threat actors are bypassing security controls by smuggling malicious SQL statements through the Site header within an HTTP GET request. 🚨CITRIX NETSCALER CVE-2026-3055 IS BEING ACTIVELY EXPLOITED IN THE WILD ATTACKERS SEND CRAFTED SAMLREQUEST PAYLOADS TO /SAML/LOGIN OMITTING THE ASSERTIONCONSUMERSERVICEURL FIELD, TRIGGERING THE APPLIANCE TO LEAK MEMORY CONTENTS VIA THE NSC_TASS COOKIE. OUR HONEYPOT DATA… PIC.TWITTER.COM/G8CGM9DVD9 — Defused (@DefusedCyber) March 29, 2026 A recorded payload targeting the /api/v1/init_consts endpoint demonstrates attackers injecting commands such as Site: x'; SELECT pg_sleep(4)--. This specific attack was observed originating from the threat actor IP address 104.192.92.135. Discovered internally by Gwendal Guégniaud of Fortinet’s Product Security team, the flaw was officially disclosed on February 6, 2026. The vulnerability stems from the improper neutralization of special elements within SQL commands in the FortiClient EMS administrative web interface. Because the software fails to properly sanitize user-supplied input, unauthenticated attackers can remotely execute arbitrary code. Unauthenticated attackers can exploit this flaw without valid credentials, enabling them to completely compromise vulnerable endpoint management servers. Successful exploitation allows threat actors to steal sensitive enterprise data, deploy secondary malware payloads, or move laterally across the internal network. The lack of authentication requirements makes this a highly attractive target for initial access brokers and ransomware affiliates. Security teams must actively monitor their network traffic logs for anomalous HTTP GET requests directed at the administrative interface. Defenders should specifically search for unexpected characters or SQL commands injected into the Site header, particularly attempts to execute time-based SQL injection functions. Identifying these specific indicators of compromise is crucial for detecting unauthorized access attempts before full exploitation occurs. System administrators should rapidly inventory their external attack surface to identify any publicly exposed deployments running version 7.4.4. Upgrading to version 7.4.5 is the only definitive mitigation, and organizations should prioritize this update within their emergency patch management cycles. FortiClient EMS versions 7.2, 8.0, and the FortiEMS Cloud environments remain entirely unaffected by this security flaw. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution Cyber Security TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform Cyber Security India Set to Ban Sale of Hikvision, TP-Link, CCTV Products From April Top 10 10 Best Spam Filter Tools 2026 March 30, 2026 10 Best Log Monitoring Tools in 2026 March 30, 2026 10 Best Fraud Detection Tools in 2026 March 30, 2026 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026