CVE-2026-21643

Name of the Vulnerable Software and Affected Versions FortiClient EMS versions 7.0.1 through 7.0.13 FortiClient EMS versions 7.2.0 through 7.2.2 FortiClient EMS version 7.4.4

Description An improper neutralization of special elements used in an SQL command (SQL injection) exists in the web management interface. This issue allows an unauthenticated remote attacker to execute arbitrary SQL commands and unauthorized code or commands by sending specifically crafted HTTP requests. Technical analysis indicates that attackers can smuggle malicious SQL statements through the 'Site' HTTP header or the messaging parameter in requests to the 'FCT DAS' diagnostic service, specifically targeting the '/api/v1/init consts' endpoint or the login endpoint. This can lead to full administrative compromise, database dumps, and remote code execution (RCE) via database features such as xp cmdshell or COPY FROM PROGRAM. The issue is particularly severe in multi-tenant deployments. Real-world exploitation has been observed, with thousands of instances exposed globally, and it has been linked to the deployment of ransomware such as Medusa and Akira.

Recommendations Upgrade FortiClient EMS versions 7.0.1 through 7.0.13 to version 7.0.14. Upgrade FortiClient EMS versions 7.2.0 through 7.2.2 to version 7.2.3 or later. Upgrade FortiClient EMS version 7.4.4 to version 7.4.5 or later. Restrict network access to management interfaces using firewalls and IP allowlisting. Remove internet exposure and enforce VPN-only administrative access. Deploy WAF rules to block SQL injection patterns targeting EMS endpoints.