Vulnerability Management, Patch/Configuration Management

Critical Fortinet FortiClient EMS vulnerability under attack

Data exposed of more than 15K Fortinet FortiGate firewalls. (Adobe Stock)

Intrusions harnessing a critical SQL injection flaw in Fortinet FortiClient EMS, tracked as CVE-2026-21643, were reported by Defused researchers to have been ongoing since Mar. 24, according to Security Affairs.

"Attackers can smuggle SQL statements through the 'Site'-header inside an HTTP request. According to Shodan, close to 1000 instances of FortiClient EMS are publicly exposed," said Defused in a post on X. Additional findings from The Shadowserver Foundation revealed nearly 2,000 internet-exposed FortiClient EMS implementations, most of which are in the U.S. and Europe.

Only FortiClient EMS 7.4.4 instances are affected by the security issue, which could be leveraged by threat actors using specially crafted HTTP requests to enable unauthorized code execution for subsequent lateral movement or malware delivery, noted Fortinet in an advisory last month that called for the immediate remediation of affected instances.

Such a development comes two years after the FortiClient EMS SQL injection bug, tracked as CVE-2023-48788, was included in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities list.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds