Critical FortiClient EMS SQL Injection Now Exploited
🔴 Threat intelligence firm Defused reports active exploitation of a critical SQL injection in Fortinet FortiClient EMS, tracked as CVE-2026-21643. The vulnerability lets unauthenticated attackers inject SQL via the HTTP 'Site' header to the EMS web GUI, enabling arbitrary code or command execution on unpatched systems. Fortinet fixed the issue in 7.4.5; administrators must upgrade immediately and block public access to EMS interfaces. Defused observed first exploitation four days after discovery and Shodan/Shadowserver data indicate many publicly exposed instances.
