Yet another critical flaw in a Fortinet product has come to light as attackers continue to target the company, this time by actively exploiting a critical SQL injection vulnerability in the cybersecurity company’s management server.
The vulnerability, (CVE-2026-21643), allows unauthenticated threat actors to execute arbitrary code on unpatched systems via specifically-crafted HTTP requests. These low-complexity attacks target the FortiClient Endpoint Management Server (EMS), a widely-used cybersecurity tool.
The CVE was being abused as recently as four days ago, according to research from red-teaming company Defused Cyber, and reflects a concerning trend for the cybersecurity giant, which serves more than 900,000 customers.
“This is Fortinet’s seventh SQL CVE over the past 12 months, and that’s frankly seven too many,” said David Shipley of Beauceron Security.
Gives broad access to sensitive data
FortiClient EMS provides centralized management, deployment, and monitoring for FortiClient endpoint agents across numerous platforms. CVE-2026-21643 was discovered internally by Fortinet’s security team and published on February 6. It impacts FortiClient EMS version 7.4.4 when multi-tenant mode is enabled. Single-site deployments are not impacted. Enterprises should patch immediately, security experts warn, by upgrading to version 7.4.5 or later.
As of publication time, Fortinet had not yet updated its security advisory to flag the active exploitation of the CVE.
The flaw is described as “an improper neutralization of special elements” used in a SQL command vulnerability. This means that a single HTTP request with a crafted header value is sufficient to execute arbitrary SQL against the backing PostgreSQL database, according to a deep dive report by pentesting company Bishop Fox. An attacker who can reach the EMS web interface over HTTPS “needs no credentials to exploit this,” it said.
“This gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints,” the researchers wrote. They pointed out that the endpoint returns database error messages and has no lockout protections, allowing attackers to quickly extract sensitive data.
The Shadowserver Foundation, a nonprofit security watchdog, is currently tracking more than 2,400 FortiClient EMS instances with web interfaces exposed to the internet, the majority of them in the US and Europe. And Shodan, a search engine for internet-connected devices, reported 1,000 publicly-exposed instances of FortiClient EMS.
SQL injection a top app security issue
Beauceron’s Shipley underscored the dangers of SQL injection, pointing out that the vulnerability was the first on the OWASP top 10 application security risks when the open source foundation was launched more than 20 years ago. The attack type has remained in the top spot for most of that time, “for good reason.”
“You don’t want these kinds of bugs to lead to remote code execution, [but] in multi-site setups of this service, that’s what you can get,” said Shipley.
Victor Okorie, advisory director in the security and privacy practice at Info-Tech Research Group, agreed with Shipley’s assessment that SQL injection vulnerabilities are particularly dangerous.
Most existing controls do not catch flaws like this, he pointed out, allowing for credential theft, enabling lateral movement due to the “implicit trust” of the EMS, and permitting manipulation and exfiltration of sensitive data. Attackers can execute unauthorized commands and bypass authentication completely, “which makes getting in a breeze.”
“The bad actor’s playbook consists of ‘get in,’ ‘take control,’ and ‘profit,’ and this is something we should always remember when reviewing vulnerabilities being exploited in the wild,” said Okorie.
Highlights importance of zero trust
Fortinet has been a prime target for threat actors of late, with attackers using AI to exploit weakly-protected firewalls, launching zero-day attacks against customer devices, and stealing FortiGate firewall credentials. The company has also been criticized for “silent” patching after disclosing zero-day vulnerabilities in some of its equipment.
All told, the US Cybersecurity and Infrastructure Security Agency (CISA) lists 24 Fortinet vulnerabilities actively being exploited.
This highlights the importance of a zero-trust architecture, said Okorie. Organizations should check whether their EMS is internet-facing, he advised; if it is, they should remove it from direct exposure to the internet and place it behind a secure access gateway. Enterprises should also inspect HTTP traffic logs for anomalous SQL syntax embedded within the ‘Site’ header.
“Old dogs don’t really need new tricks, and that can be applicable here,” said Okorie. Because Fortinet vulnerabilities have been used in ransomware campaigns, “there is a sense of familiarity” for attackers, who continue to identify and exploit weaknesses.
Fortinet must be ‘more proactive’
“Fortinet seems to have an issue resolving entire bug classes,” added Beauceron’s Shipley. They seem to keep playing “bug whack-a-mole,” fixing the immediate problem but not taking the time to review codebases in depth to uncover the same flawed code in other areas.
“Attackers, on the other hand, smell blood,” he noted. Once they find this kind of bug repeated, they will refine their hacking attempts to discover more instances of it.
With AI tools speeding up attackers’ work, Fortinet must be more proactive on bug hunts, said Shipley. But that being said, he observed, the company’s revenue continued to grow in 2025 by more than 14%, “so the market isn’t exactly sending a strong signal that they should care [about this] more.”
No Responses