Attackers are actually actively exploiting a crucial vulnerability in Fortinet’s FortiClient EMS platform, based on menace intelligence firm Defused.
Tracked as CVE-2026-21643, this SQL injection vulnerability permits unauthenticated menace actors to execute arbitrary code or instructions on unpatched methods via low-complexity assaults focusing on the FortiClientEMS GUI (net interface) by way of maliciously crafted HTTP requests.
“Fortinet Forticlient EMS CVE-2026-21643 – at the moment marked as not exploited on CISA and different Identified Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days in the past based on our information,” Defused warned over the weekend.
“Attackers can smuggle SQL statements via the ‘Website’-header inside an HTTP request. In keeping with Shodan, near 1000 situations of Forticlient EMS are publicly uncovered.”
The vulnerability, found internally by Gwendal Guégniaud of the Fortinet Product Safety group, impacts FortiClient EMS model 7.4.4 and may be patched by upgrading to model 7.4.5 or later.
Fortinet has but to replace its security advisory and flag the vulnerability as exploited within the wild. BleepingComputer reached out to a Fortinet spokesperson to substantiate studies of lively exploitation, however a response was not instantly accessible.
Web security watchdog group Shadowserver is at the moment monitoring over 2,000 FortiClient EMS situations with their net interfaces uncovered on-line, with greater than 1,400 IPs in the US and in Europe.
A separate Shodan search exhibits greater than FortiClient EMS, with most uncovered situations in the US.
Fortinet vulnerabilities are steadily exploited to breach company networks in ransomware assaults and cyber espionage campaigns (typically as zero-day bugs whereas patches are nonetheless pending).
Most lately, Fortinet mitigated CVE-2026-24858 zero-day assaults by blocking FortiCloud SSO connections from units operating weak firmware variations.
Two years in the past, in March 2024, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) ordered federal companies to patch one other FortiClient EMS SQL injection vulnerability that had been exploited in ransomware assaults and by Salt Hurricane, a Chinese language state-sponsored hacking group, to breach telecommunications service suppliers.
In whole, CISA has flagged 24 Citrix vulnerabilities as actively exploited, 13 of which had been utilized in ransomware assaults.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and gives practitioners with three diagnostic questions for any device analysis.
