TP-EXP-2026-0007 CVE-2026-21643 critical Patched Under Review

Fortinet FortiClient EMS SQL Injection (CVE-2026-21643)

CVE CVE-2026-21643 Platform Fortinet FortiClient EMS Type SQL Injection
Severity CRITICAL
Status Patched
Zero-Day Confirmed
Disclosed April 13, 2026
Patched April 13, 2026
CISA KEV Listed

Severity Assessment

  • Exploitability: 9/10 — Unauthenticated remote SQL injection; no user interaction required
  • Impact: 9/10 — Full database access and potential remote code execution via SQL injection to OS command execution chains
  • Weaponization Risk: 8/10 — CVSS 9.8 CRITICAL; added to CISA KEV with active exploitation confirmed
  • Patch Urgency: 10/10 — CISA requires federal agency remediation by 2026-04-16
  • Detection Coverage: 6/10 — Standard WAF/IDS SQL injection rules may detect exploitation attempts; application-level monitoring recommended

Executive Summary

CVE-2026-21643 is a critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS). The vulnerability allows an unauthenticated remote attacker to execute arbitrary SQL commands against the backend database by sending specially crafted requests to the FortiClient EMS web management interface. The vulnerability has a CVSS 3.1 base score of 9.8 (CRITICAL) with an attack vector of Network, low attack complexity, no privileges required, and no user interaction needed.

FortiClient EMS is a centralized endpoint management platform used by organizations to deploy, configure, and monitor FortiClient endpoint security agents across their infrastructure. Compromise of the EMS server provides an attacker with control over endpoint security policies and visibility into the organization’s endpoint fleet.

CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities catalog on 13 April 2026, confirming active exploitation in the wild. Federal agencies are required to apply remediation by 16 April 2026. Fortinet has published advisory FG-IR-25-1142 with patch information.

Exploit Chain

Stage 1: Target Discovery

The attacker identifies internet-facing FortiClient EMS instances by scanning for the web management interface, typically accessible on HTTPS port 443 or a custom port. Shodan and similar search engines can identify exposed EMS installations via HTTP response headers and TLS certificate characteristics.

Stage 2: SQL Injection via Management Interface

The attacker sends a crafted HTTP request to a vulnerable API endpoint in the FortiClient EMS web management interface. The request includes malicious SQL syntax in a parameter that is passed unsanitized to the backend database query. The CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) classification confirms that input validation is insufficient.

Stage 3: Database Extraction

Through the SQL injection, the attacker can enumerate database tables, extract stored credentials (including FortiClient endpoint agent enrollment keys and administrator password hashes), and read configuration data. The FortiClient EMS database contains information about all managed endpoints, their configurations, and security policies.

Stage 4: Potential Remote Code Execution

Depending on the database system and its configuration, the attacker may escalate from SQL injection to operating system command execution using database-native functions (such as xp_cmdshell in Microsoft SQL Server or COPY TO PROGRAM in PostgreSQL). This escalation provides full server compromise.

Stage 5: Endpoint Policy Manipulation

With administrative access to the FortiClient EMS management plane, the attacker can modify endpoint security policies, disable security features on managed endpoints, or deploy malicious configurations across the organization’s endpoint fleet.

Detection Guidance

Network-based detection:

  • Monitor HTTP/HTTPS traffic to FortiClient EMS web management interfaces for SQL injection patterns in request parameters
  • Deploy web application firewall (WAF) rules to block common SQL injection payloads targeting the affected endpoints
  • Alert on unusual query patterns in database audit logs associated with the EMS application database

Host-based detection:

  • Enable and monitor FortiClient EMS application logs for error messages indicating SQL syntax errors or unexpected query results
  • Monitor the EMS server’s database process for unexpected command execution or file system access
  • Track changes to FortiClient endpoint security policies for unauthorized modifications

Recommended actions:

  • Restrict access to the FortiClient EMS web management interface to trusted administrative networks only
  • Apply the patch referenced in Fortinet advisory FG-IR-25-1142 immediately
  • Review EMS administrator accounts for unauthorized additions or password changes
  • Audit endpoint security policies for unauthorized modifications

Indicators of Compromise

Network indicators:

  • HTTP requests to FortiClient EMS management interface containing SQL metacharacters (single quotes, UNION SELECT, semicolons, comment sequences) in URL parameters or POST body fields
  • Unusual outbound connections from the FortiClient EMS server to external IP addresses
  • Large database query result sets transmitted to external addresses

Host indicators:

  • Unexpected processes spawned by the database service account on the EMS server
  • Modifications to FortiClient EMS configuration files outside of normal administrative windows
  • New administrator accounts created in the EMS management console
  • Changes to endpoint security policies without corresponding change management records

Log indicators:

  • FortiClient EMS application logs containing SQL error messages or stack traces
  • Database audit logs showing queries with UNION SELECT, information_schema references, or system table enumeration
  • Windows Security Event Log entries for process creation by the database service account

Disclosure Timeline

2026-04-13 — Fortinet Advisory Published

Fortinet published PSIRT advisory FG-IR-25-1142 disclosing CVE-2026-21643 and providing patch information for affected FortiClient EMS versions.

2026-04-13 — CISA KEV Entry Added

CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities catalog with a required remediation date of 16 April 2026, indicating confirmed active exploitation.

2026-04-13 — NVD Entry Published

NIST published the CVE-2026-21643 entry in the National Vulnerability Database with a CVSS 3.1 base score of 9.8 (CRITICAL).

Sources & References

fortinetforticlientemssql-injectioncisa-kevcve-2026-21643endpoint-management