Fortinet Patches Critical SQL Injection Flaw in FortiClientEMS Enabling Unauthenticated RCE

Fortinet published a security advisory on February 6, 2026 disclosing CVE-2026-21643, a critical SQL injection vulnerability in FortiClientEMS 7.4.4 with a CVSS score of 9.1. The flaw allows an unauthenticated remote attacker to execute arbitrary commands on the target system.

Technical Details

The vulnerability is an improper neutralization of special elements in SQL commands — standard SQL injection. User-supplied input in HTTP requests to the management interface is not properly sanitized before being incorporated into SQL queries. An unauthenticated attacker who can reach the FortiClientEMS management interface can send crafted HTTP requests that manipulate the underlying SQL queries, achieving arbitrary command execution on the server.

Pre-authentication SQL injection leading to RCE represents a particularly severe class of flaw: an attacker with network access to the management port can move from zero foothold to code execution in a single step, without credentials or multi-step chains.

Affected Versions

Only FortiClientEMS version 7.4.4 is affected. Versions 7.2.x and 8.0.x are not vulnerable. The fix is available in FortiClientEMS 7.4.5 or later. Organizations running 7.4.4 should prioritize the upgrade, especially if the management interface is exposed to the internet or untrusted network segments.

FortiClientEMS is the central management and policy distribution point for FortiClient endpoint security agents deployed on workstations and servers. Its role in enterprise security infrastructure makes it a high-value target — compromising the management server could give an attacker control over endpoint security policies across the organization.

Discovery and Timeline

The vulnerability was discovered internally by Gwendal Guégniaud of Fortinet's Product Security team. No exploitation in the wild was observed at the time of disclosure. Internal discovery with coordinated disclosure before exploitation represents the ideal outcome — the vulnerability is patched before threat actors can weaponize it.

However, the public advisory provides enough technical detail for motivated threat actors to reconstruct the vulnerable code path. Time between advisory publication and weaponized exploit development has compressed to 24-72 hours for some vulnerabilities. Organizations running FortiClientEMS 7.4.4 should treat the update as urgent regardless of the current absence of observed exploitation.

Broader Context

Fortinet products have been a recurring target for threat actors. CVE-2024-21762 in FortiOS SSL-VPN was widely exploited by multiple groups including state-sponsored operators. The pattern of Fortinet vulnerabilities being rapidly adopted by sophisticated actors reflects the ubiquity of Fortinet products in enterprise and government network security infrastructure. Patch velocity for Fortinet advisories should reflect this elevated threat profile.