Search

Critical Fortinet FortiClient EMS Flaw Now Exploited in Attacks

Cyber threats and incidents
By John Kevin Hao
Credit: Fortinet

Related

Cyber threats and incidents

New GhostLock Tool Abuses Windows API to Block File Access

What happened A security researcher has published a proof-of-concept tool...
Read more
Cyber threats and incidents

Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks

What happened Ivanti has disclosed a high-severity remote code execution...
Read more
Cyber threats and incidents

Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices

What happened Hunt.io researchers have identified a new Mirai-derived botnet...
Read more
Cyber threats and incidents

Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover

What happened Cisco has released security updates addressing a high-severity...
Read more
Cyber threats and incidents

Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks

What happened Palo Alto Networks has disclosed a critical unpatched...
Read more

Share

What happened

A critical Fortinet FortiClient EMS flaw is now being exploited in attacks, according to threat intelligence company Defused. The vulnerability, tracked as CVE-2026-21643, is a SQL injection issue that can let unauthenticated attackers execute arbitrary code or commands on unpatched systems through malicious HTTP requests targeting the FortiClient EMS web interface. Defused said it saw first exploitation four days before its public warning and noted that attackers can smuggle SQL statements through the Site header in an HTTP request. The flaw affects FortiClient EMS version 7.4.4. Fortinet said the issue was discovered internally by Gwendal Guégniaud of the Fortinet Product Security team and can be fixed by upgrading to version 7.4.5 or later. 

Who is affected

The direct exposure affects organizations running FortiClient EMS version 7.4.4, especially where the web interface is exposed online. Defused said close to 1,000 instances were publicly exposed according to Shodan, while Shadowserver said it was tracking more than 2,000 exposed FortiClient EMS instances. 

Why CISOs should care

This matters because the flaw allows unauthenticated code or command execution through a low-complexity attack path against a management platform used in enterprise environments. It is also significant because the article places the issue in the context of repeated exploitation of Fortinet flaws in ransomware and cyber espionage campaigns. 

3 practical actions

  1. Upgrade affected systems immediately: Move any FortiClient EMS 7.4.4 deployments to version 7.4.5 or later, which Fortinet says patches CVE-2026-21643. 
  2. Reduce internet exposure fast: Identify whether any FortiClient EMS web interfaces are publicly reachable and restrict access where possible, given the reported exposed attack surface. 
  3. Treat exploitation as already underway: Prioritize this issue as an active-incident risk rather than a routine patch, since Defused said it has already observed exploitation in the wild. 

For more news about security flaws under active exploitation, click Vulnerability to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Critical Grafana Vulnerabilities Enable Remote Code Execution and DoS Attacks
Next article
Female Cybersecurity Leaders to Watch in Aerospace and Defense

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.