Search

Critical Fortinet FortiClient EMS Flaw Now Exploited in Attacks

Cyber threats and incidents
By John Kevin Hao
Credit: Fortinet

Related

Cyber threats and incidents

Hackers Now Exploit Critical Oracle E-Business Suite Flaw in Attacks

What happened Attackers have begun exploiting a critical vulnerability in...
Read more
Cyber threats and incidents

Hackers Exploit Critical SimpleHelp Flaw to Deploy Djinn Stealer

What happened Hackers are exploiting a critical vulnerability in SimpleHelp...
Read more
Cyber threats and incidents

Amazon Q Flaw Enabled Cloud Credential Theft Through Malicious Repositories

What happened Researchers at Wiz disclosed a high-severity vulnerability in...
Read more
Cyber threats and incidents

CISA Sets Urgent Deadline to Fix Cisco Flaw Exploited in Attacks

What happened CISA added a Cisco Unified Communications Manager Server...
Read more
Cyber threats and incidents

Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks

What happened Security researchers disclosed an eight-year-old high-severity vulnerability in...
Read more

Share

What happened

A critical Fortinet FortiClient EMS flaw is now being exploited in attacks, according to threat intelligence company Defused. The vulnerability, tracked as CVE-2026-21643, is a SQL injection issue that can let unauthenticated attackers execute arbitrary code or commands on unpatched systems through malicious HTTP requests targeting the FortiClient EMS web interface. Defused said it saw first exploitation four days before its public warning and noted that attackers can smuggle SQL statements through the Site header in an HTTP request. The flaw affects FortiClient EMS version 7.4.4. Fortinet said the issue was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team and can be fixed by upgrading to version 7.4.5 or later. 

Who is affected

The direct exposure affects organizations running FortiClient EMS version 7.4.4, especially where the web interface is exposed online. Defused said close to 1,000 instances were publicly exposed according to Shodan, while Shadowserver said it was tracking more than 2,000 exposed FortiClient EMS instances. 

Why CISOs should care

This matters because the flaw allows unauthenticated code or command execution through a low-complexity attack path against a management platform used in enterprise environments. It is also significant because the article places the issue in the context of repeated exploitation of Fortinet flaws in ransomware and cyber espionage campaigns. 

3 practical actions

  1. Upgrade affected systems immediately: Move any FortiClient EMS 7.4.4 deployments to version 7.4.5 or later, which Fortinet says patches CVE-2026-21643. 
  2. Reduce internet exposure fast: Identify whether any FortiClient EMS web interfaces are publicly reachable and restrict access where possible, given the reported exposed attack surface. 
  3. Treat exploitation as already underway: Prioritize this issue as an active-incident risk rather than a routine patch, since Defused said it has already observed exploitation in the wild. 

For more news about security flaws under active exploitation, click Vulnerability to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks
Next article
Female Cybersecurity Leaders to Watch in Aerospace and Defense
Cyber threats and incidents

Hackers Now Exploit Critical Oracle E-Business Suite Flaw in Attacks

What happened Attackers have begun exploiting a critical vulnerability in...
Cyber threats and incidents

Hackers Exploit Critical SimpleHelp Flaw to Deploy Djinn Stealer

What happened Hackers are exploiting a critical vulnerability in SimpleHelp...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.