Fortinet shipped a critical FortiClientEMS fix, and it is the kind of bug attackers love

Fortinet shipped a critical FortiClientEMS fix, and it is the kind of bug attackers love Fortinet just patched a critical SQL injection vulnerability in FortiClient Endpoint Management Server (FortiClientEMS) that can let an unauthenticated attacker execute unauthorized code or commands through crafted HTTP requests. The CVE is CVE-2026-21643. If that sounds abstract, here is the real-world translation. FortiClientEMS is a control plane for endpoints. When the control plane is compromised, “one server got popped” can quickly become “every managed machine is now at risk”. And this news lands right after another Fortinet issue, CVE-2026-24858, where Fortinet and CISA both describe active exploitation tied to FortiCloud SSO admin login paths. So yes, the vibes are bad. --- What exactly got fixed in FortiClientEMS CVE-2026-21643 is an SQL injection bug, meaning user-controlled input can be interpreted as part of a database query. In this case, it is reachable via HTTP requests and described as allowing an attacker to execute unauthorized code or commands without authentication. Affected and fixed versions Affected: FortiClientEMS 7.4.4 Fix: upgrade to 7.4.5 or later Not affected: FortiClientEMS 7.2 and 8.0 (as stated in the PSIRT advisory) Severity score, and why people are quoting different numbers Some reporting cites 9.1, but the NVD entry includes a 9.8 CVSS v3.1 vector from Fortinet as the CNA (scoring authority here). Treat it as “critical either way” because it is network reachable, no auth, high impact. Is it exploited in the wild Fortinet has not publicly said this one is exploited. That does not mean it is safe. It means you still have a patch window before it turns into a mass-scanning festival. --- Hacker perspective: why this is spicy Attackers are obsessed with “systems that manage other systems”. FortiClientEMS is literally that. A normal endpoint compromise is one device. A management-plane compromise is leverage. From an attacker’s perspective, the dream is simple. Find a management interface that is reachable. Gain a foothold once. Use the platform’s legitimate privileges to push changes at scale. SQL injection is particularly nasty because it often starts as “database manipulation” and ends as “application behavior control”, and Fortinet’s own description explicitly warns about code or command execution outcomes. So even if you think your endpoints are hardened, that does not help if the thing telling them what policy to enforce gets owned. --- The other Fortinet problem that actually is being exploited Now for the second part of the story, because it changes the risk mood. CVE-2026-24858 is an authentication bypass involving FortiCloud SSO. The condition is important. If FortiCloud SSO authentication is enabled on a device, an attacker with a FortiCloud account and a registered device may be able to log into devices registered to other accounts. CISA published an alert about ongoing exploitation, and the CVE appears in CISA’s Known Exploited Vulnerabilities (KEV) catalog. That is the government version of “people are getting hit, patch now”. Fortinet’s own guidance and analysis describe attacker behavior consistent with real compromise workflows, including creating local admin accounts for persistence, making config changes that can grant access, and exfiltrating firewall configurations. --- What clients should do, like today This is the pragmatic part. No theatre. No vendor drama. Just actions. If you run FortiClientEMS 1. Upgrade FortiClientEMS 7.4.4 to 7.4.5+ immediately. 2. Lock down exposure. Treat EMS like a crown-jewel admin surface. Put it behind a VPN, allowlist, and management network segmentation. 3. Watch the EMS host for abnormal process launches and suspicious web requests patterns. Even without a published exploitation statement, high-severity bugs get targeted fast. If you use FortiCloud SSO admin login in Fortinet products 1. Check whether FortiCloud SSO admin login is enabled, and disable it if you do not absolutely need it. 2. Hunt for persistence. Look for unexpected local admins and admin-level config changes around the exploitation timeframe described by Fortinet and CISA. 3. Assume config sensitivity. If configs were accessed or exported, treat that as a serious data exposure because it can reveal network topology, VPN settings, and security rules. --- The bigger lesson This is not just “Fortinet had a bug”. Every vendor has bugs. The real point is that management plane and identity paths are where single failures become ecosystem failures. If I were a defender reading this, I would take away one rule. If it can manage your fleet or your admin login, patch it like it can take down your company. Because it can.