Unauthenticated SQL Injection in FortiClientEMS 7.4.4
Potential Remote Code Execution via crafted HTTP requests to the admin GUI
CVE-2026-21643 is a critical SQL injection vulnerability (CWE-89) affecting Fortinet FortiClient Endpoint Management Server (FortiClientEMS) version 7.4.4 only.
An unauthenticated remote attacker can send specially crafted HTTP requests to the web-based administrative interface (GUI) and execute unauthorized SQL commands. This can lead to full system compromise, including arbitrary code execution on the server.
Key Risk: The vulnerability is pre-authentication, making any internet-exposed or reachable FortiClientEMS instance a high-value target.
- CVE ID: CVE-2026-21643
- Fortinet IR: FG-IR-25-1142
- Severity: Critical
- CVSS v3.1 Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (
SQL Injection) - Affected Component: Administrative Web Interface (GUI)
- Attack Vector: Remote, via specially crafted HTTP requests (reportedly involving the
Siteheader in multi-tenant setups and endpoints like/api/v1/init_consts) - Authentication Required: None
- User Interaction: None
- Known Public Exploitation: No (as of March 2026)
- Discovered By: Internally by Fortinet (Gwendal Guégniaud, Product Security team)
| Product | Version | Status | Fixed In |
|---|---|---|---|
| FortiClientEMS | 7.4.4 | Affected | Upgrade to 7.4.5+ |
| FortiClientEMS | 7.4.x | Only 7.4.4 | 7.4.5 or later |
| FortiClientEMS | 7.2.x | Not affected | - |
| FortiClientEMS | 8.0.x | Not affected | - |
| FortiClientEMS Cloud | All | Not affected | - |
Urgent Action Recommended:
- Upgrade immediately to FortiClientEMS 7.4.5 or any newer release (including the 8.0 branch).
- Restrict access to the administrative GUI:
- Place behind a VPN, firewall, or zero-trust solution.
- Avoid exposing the EMS web interface directly to the internet.
- Monitor logs for suspicious requests to admin endpoints (e.g., involving
Siteheader or error-based SQLi patterns). - Apply FortiGuard IPS signatures if available for additional protection.
Official Fortinet Advisory:
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
- Patch Priority: High — treat as emergency due to pre-auth nature.
- If patching cannot be done immediately, block external access to the EMS management interface.
- Review multi-tenant configurations (more exposed due to the
Siteheader handling). - Enable detailed logging and monitor for database error leaks.
- Regularly scan your environment for exposed FortiClientEMS instances.
Note: The flaw was introduced during a middleware refactoring in 7.4.4 related to multi-tenancy support and was silently patched in 7.4.5.
- NVD - CVE-2026-21643
- Fortinet PSIRT Advisory FG-IR-25-1142
- Arctic Wolf Analysis
- The Hacker News Coverage
- Qualys ThreatPROTECT
- SentinelOne Vulnerability Database
This repository is maintained for defensive security, awareness, and informational purposes only. Always refer to the official Fortinet advisory for the most accurate and up-to-date guidance.
No public exploits are included here.
⭐ Star this repo if it helped you stay secure!
🛠️ Contributions, corrections, or additional IOCs are welcome via Pull Requests.
Last Updated: March 2026