Intrusions harnessing a critical SQL injection flaw in Fortinet FortiClient EMS, tracked as CVE-2026-21643, were reported by Defused researchers to have been ongoing since Mar. 24, according to Security Affairs."Attackers can smuggle SQL statements through the 'Site'-header inside an HTTP request. According to Shodan, close to 1000 instances of FortiClient EMS are publicly exposed," said Defused in a post on X. Additional findings from The Shadowserver Foundation revealed nearly 2,000 internet-exposed FortiClient EMS implementations, most of which are in the U.S. and Europe.Only FortiClient EMS 7.4.4 instances are affected by the security issue, which could be leveraged by threat actors using specially crafted HTTP requests to enable unauthorized code execution for subsequent lateral movement or malware delivery, noted Fortinet in an advisory last month that called for the immediate remediation of affected instances.Such a development comes two years after the FortiClient EMS SQL injection bug, tracked as CVE-2023-48788, was included in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities list.
Vulnerability Management, Patch/Configuration Management
Critical Fortinet FortiClient EMS vulnerability under attack

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



