FortiClient Endpoint Management Server (EMS) SQL Injection Vulnerability (CVE-2026-21643)

Fortinet released a security advisory to address a critical severity vulnerability impacting FortiClientEMS. Tracked as CVE-2026-21643, successful exploitation of the vulnerability could lead to arbitrary code execution on the target system. The vulnerability has a CVSS score of 9.1.

Gwendal Guégniaud of the Fortinet Product Security team discovered the vulnerability.

FortiClient Endpoint Management Server is a security management solution that enables users to manage multiple endpoints (computers) in a centralized, scalable manner. It provides visibility across the network and allows users to assign security profiles to endpoints, automatically manage devices, and troubleshoot FortiClient EMS.

Vulnerability Description

An improper neutralization of special elements used in an SQL Command vulnerability in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code via specifically crafted HTTP requests.

Affected Versions

The vulnerability affects FortiClientEMS version 7.4.4.

Mitigation

Customers are advised to upgrade to the following versions to patch the vulnerability:

• FortiClient EMS 7.4.5 or above

Please refer to the Fortinet PSIRT Advisory (FG-IR-25-1142) for more information.

Qualys Detection

Qualys customers can scan their devices with QIDs 386518 and 530916 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142