Search

Critical Fortinet FortiClient EMS Flaw Now Exploited in Attacks

Cyber threats and incidents
By Evan Rowe
Credit: Fortinet

Related

Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Telecommunications

Telecommunications runs on trust, resilience, and always-on infrastructure, which...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Insurance

Insurance has always been a business built on trust,...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Aerospace and Defense

Female Cybersecurity Leaders to Watch in Aerospace and Defense Aerospace...
Read more
Cyber threats and incidents

Critical Fortinet FortiClient EMS Flaw Now Exploited in Attacks

What happened A critical Fortinet FortiClient EMS flaw is now...
Read more
Cyber threats and incidents

Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks

What happened Critical Grafana vulnerabilities could allow attackers to achieve...
Read more

Share

What happened

A critical Fortinet FortiClient EMS flaw is now being exploited in attacks, according to threat intelligence company Defused. The vulnerability, tracked as CVE-2026-21643, is a SQL injection issue that can let unauthenticated attackers execute arbitrary code or commands on unpatched systems through malicious HTTP requests targeting the FortiClient EMS web interface. Defused said it saw first exploitation four days before its public warning and noted that attackers can smuggle SQL statements through the Site header in an HTTP request. The flaw affects FortiClient EMS version 7.4.4. Fortinet said the issue was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team and can be fixed by upgrading to version 7.4.5 or later. 

Who is affected

The direct exposure affects organizations running FortiClient EMS version 7.4.4, especially where the web interface is exposed online. Defused said close to 1,000 instances were publicly exposed according to Shodan, while Shadowserver said it was tracking more than 2,000 exposed FortiClient EMS instances. 

Why CISOs should care

This matters because the flaw allows unauthenticated code or command execution through a low-complexity attack path against a management platform used in enterprise environments. It is also significant because the article places the issue in the context of repeated exploitation of Fortinet flaws in ransomware and cyber espionage campaigns. 

3 practical actions

  1. Upgrade affected systems immediately: Move any FortiClient EMS 7.4.4 deployments to version 7.4.5 or later, which Fortinet says patches CVE-2026-21643. 
  2. Reduce internet exposure fast: Identify whether any FortiClient EMS web interfaces are publicly reachable and restrict access where possible, given the reported exposed attack surface. 
  3. Treat exploitation as already underway: Prioritize this issue as an active-incident risk rather than a routine patch, since Defused said it has already observed exploitation in the wild. 

For more news about security flaws under active exploitation, click Vulnerability to read more.

Previous article
Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks
Next article
Female Cybersecurity Leaders to Watch in Aerospace and Defense
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Telecommunications

Telecommunications runs on trust, resilience, and always-on infrastructure, which...
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Insurance

Insurance has always been a business built on trust,...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.