Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium
search

Warning: FortiClient EMS SQL Injection - CVE-2026-21643, Patch Immediately!

Image
Decorative image
Publié : 31/03/2026
  • Last update: 31/03/2026
  • Affected software:
    → Fortinet FortiClientEMS 7.4.4
  • Type: CWE-89: Execute unauthorized code or commands
  • CVE/CVSS
    → CVE-2026-21643: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Fortinet - https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Risks

Fortinet's FortiClient EMS is used for managing and securing an organization's endpoints and their connection to the network.

CVE-2026-21643 is a critical SQL injection vulnerability (CVSS 9.1) that is reported to be actively exploited in the wild. It requires no authentication and has a public Proof-of-Concept. Successful exploitation could allow attackers to steal data, manipulate configurations, or achieve full remote code execution.

A similar flaw (CVE-2023-48788) was leveraged in ransomware campaigns, so similar targeting is expected.

Upgrade to FortiClient EMS 7.4.5 or above immediately.

Description

CVE-2026-21643: FortiClient EMS (Critical, Actively Exploited)

Only FortiClient EMS 7.4.4 is affected (versions 7.2 and 8.0 are not). An attacker can send a crafted GET request to /api/v1/init_consts with a malicious Site header to inject arbitrary SQL. This can lead to data exfiltration, database manipulation, or OS command execution through chaining. Single-site (non-multi-tenant) deployments are reported as not affected.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

If possible block public internet access to the EMS web interface and limit it to trusted management networks.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

Review logs for suspicious requests to /api/v1/init_consts or unusual Site header values. If your instance was internet-facing and unpatched, assume potential compromise and investigate accordingly.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Bishopfox - https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4
Helpnetsecurity - https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/
CVE.org - https://www.cve.org/CVERecord?id=CVE-2026-21643