Fortinet has released security updates to remediate a critical security flaw affecting FortiClientEMS that could allow attackers to execute arbitrary code without authentication.
The vulnerability is tracked as CVE-2026-21643 and carries a CVSS score of 9.1, placing it among high impact enterprise security risks. According to Fortinet, the issue stems from improper handling of user supplied input in SQL commands, creating an SQL injection weakness.
The company stated that the flaw could allow an unauthenticated attacker to run unauthorized commands by sending specially crafted HTTP requests to vulnerable systems.
Affected and Patched Versions
Fortinet confirmed that not all versions of FortiClientEMS are impacted. The vulnerability affects specific releases and users are advised to review their deployments carefully.
The affected status is as follows:
- FortiClientEMS 7.2, not affected
- FortiClientEMS 7.4.4, affected and requires upgrade to version 7.4.5 or later
- FortiClientEMS 8.0, not affected
The issue was discovered and responsibly disclosed by Gwendal Guégniaud from the Fortinet Product Security team.
Although Fortinet has not observed active exploitation of this specific flaw, the company strongly recommends that organizations apply the security update without delay to reduce exposure.
Related Fortinet Security Issues Under Active Exploitation
The disclosure comes shortly after Fortinet addressed another critical vulnerability impacting multiple products, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb.
This second flaw, tracked as CVE-2026-24858 with a CVSS score of 9.4, enables attackers with a FortiCloud account and a registered device to gain unauthorized access to other Fortinet devices belonging to different customers when FortiCloud SSO authentication is enabled.
Fortinet later confirmed that this vulnerability has been actively exploited in real world attacks. Threat actors abused the issue to create local administrator accounts for persistence, modify configurations to enable VPN access, and extract firewall configuration data.
Security experts warn that these attacks highlight the importance of rapid patch deployment, especially for internet facing security appliances that are frequently targeted by attackers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
