CVE-2026-21643: Fortinet FortiClient EMS Is Being Actively Exploited — And CISA Hasn't Caught Up Yet

CybrPulse

CybrPulse

3 min read
CVE-2026-21643: Fortinet FortiClient EMS Is Being Actively Exploited — And CISA Hasn't Caught Up Yet

If you're running Fortinet FortiClient EMS in multi-tenant mode, you're a live target right now.

CVE-2026-21643 — a critical SQL injection vulnerability in FortiClient Endpoint Management Server — is being actively exploited in the wild. Threat intelligence firm Defused Cyber confirmed exploitation attempts four days ago via honeypot telemetry. As of this writing, CISA has not added it to the Known Exploited Vulnerabilities catalog. That gap matters.

What's Broken

FortiClient EMS v7.4.4 introduced a refactored middleware stack as part of evolving multi-tenant support. That refactor introduced a fatal mistake: the HTTP header used to identify which tenant a request belongs to gets passed directly into a PostgreSQL database query — with no sanitization — before any authentication check occurs.

That last part is the problem. An unauthenticated attacker with HTTPS access to the EMS web interface needs one HTTP request with a crafted header to execute arbitrary SQL against the backend database. No credentials. No lateral movement required. Single request.

Bishop Fox published a technical breakdown in early March. Their read: "An attacker who can reach the EMS web interface over HTTPS needs no credentials to exploit this. A single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database."

What can they reach once they're in? Admin credentials. Endpoint inventory. Security policies. Certificates for managed endpoints. This isn't read-only access to some log table — it's the keys to every managed endpoint in the deployment.

The CVSS scores reflect this. Fortinet rated it 9.1. NVD rated it 9.8. Either way, critical.

Who's Exposed

Versions 7.2 and 8.0 are not affected. Only v7.4.4 is vulnerable, and only when multi-tenant mode is enabled. Single-site deployments are in the clear.

That sounds reassuring until you look at what's internet-facing. Defused Cyber pulled Shodan data: close to 1,000 FortiClient EMS instances are publicly reachable. How many of those are running v7.4.4 in multi-tenant mode is unknown. Fortinet hasn't confirmed active exploitation themselves yet — which is notable, given that external researchers have honeypot evidence of it happening right now.

Patch availability isn't the issue. Fortinet released 7.4.5 in February. This vulnerability has been patchable for weeks. What's missing is urgency on the admin side — and the absence of a CISA KEV flag that would force the issue in many federal and enterprise environments.

Why This Matters Beyond Fortinet

This pattern is worth calling out explicitly. A feature was added (multi-tenant support). The refactor introduced an injection point. The injection point was pre-authentication, making it trivially exploitable. The patch existed. The exploitation started anyway.

It's a familiar loop: feature velocity outruns security review, a public-facing management interface carries the exposure, researchers release detailed exploitation paths, attackers follow the write-up. The Bishop Fox analysis dropped in early March. Honeypot hits followed within weeks.

FortiClient EMS is an endpoint management server — it sits at the center of an organization's endpoint security posture. Compromising it doesn't just mean a data leak. It means an attacker with access to your security tooling, your endpoint inventory, your managed certificates. The blast radius on a fully exploited EMS instance is significant.

What to Do Right Now

If you're running FortiClient EMS v7.4.4 in multi-tenant mode: Upgrade to 7.4.5 immediately. The fix exists. There's no reason to be on the vulnerable version.

If you're not sure which version you're running: Check. Then upgrade if needed.

If FortiClient EMS is internet-facing: That's a configuration you should revisit regardless. Management interfaces for endpoint security tools should not be directly reachable from the public internet. Network segmentation here reduces blast radius across a whole class of future vulnerabilities, not just this one.

If you're in a CISA-monitored environment: Don't wait for the KEV update. The exploitation activity is real, confirmed by independent telemetry. The KEV flag will likely come — patch ahead of it.

Monitor HTTP logs hitting the EMS administrative interface for anomalous patterns. Unusual header values in HTTPS requests to the EMS web UI are your indicator. If you haven't seen the Bishop Fox technical breakdown, it's worth reading for the specific request structure to watch for.

Bottom Line

Fortinet issued the patch weeks ago. Exploitation started last week. CISA's catalog hasn't moved. That window is exactly where incident response starts getting expensive.

If you have FortiClient EMS 7.4.4 in your environment, the risk calculus here is straightforward: upgrade or accept that unauthenticated attackers can run arbitrary SQL against your endpoint management backend right now. One crafted HTTP request. No credentials needed.

Patch it.

Read more