Threat intelligence experts at Defused Cyber have reported the active exploitation of a critical vulnerability in Fortinet FortiClient EMS by threat actors. This centralized management server is crucial for organizations aiming to deploy, configure, and oversee FortiClient endpoints across diverse environments, including scenarios that require multi-tenant deployments.
Understanding the Fortinet Vulnerability
The vulnerability, identified as CVE-2026-21643, is an SQL injection flaw that can be remotely exploited without the need for authentication. This is achievable through specially crafted HTTP requests, making it a significant threat. If successfully exploited, this flaw can lead to the execution of arbitrary code or commands, as highlighted in Fortinet’s advisory.
FortiClient EMS version 7.4.4 is affected by this security defect, which was internally identified by Fortinet and addressed with a patch in version 7.4.5 released in early February. Despite this, details about the vulnerability were publicly disclosed, and subsequent technical insights were provided by cybersecurity firm Bishop Fox, emphasizing the practical nature of the exploit.
Technical Insights and Exploitation Details
Bishop Fox’s analysis revealed that attackers could exploit the /api/v1/init_consts endpoint without prior authentication, leveraging the SQL injection flaw. This endpoint’s lack of lockout protections and its tendency to return database error messages allow attackers rapid access to sensitive data in vulnerable FortiClient EMS 7.4.4 deployments.
The issue originated from changes in version 7.4.4, specifically a redesigned middleware stack and database connection layer. These changes resulted in HTTP identification headers being unsanitized before authentication, exposing the system to arbitrary SQL code execution. Consequently, attackers could access admin credentials, security policies, endpoint inventory, and certificates.
Current Status and Response
Over the recent weekend, Defused Cyber highlighted that the CVE-2026-21643 vulnerability had been actively exploited for several days, affecting approximately 1,000 FortiClient EMS deployments exposed to the internet. The Shadowserver Foundation’s tracking indicates over 2,000 such instances accessible online as of March 30.
The extent of vulnerable deployments remains unclear, and Fortinet has not yet updated their advisory to explicitly mention exploitation. SecurityWeek has reached out to Fortinet for further comments on the exploitation, promising updates upon receiving a response.
As cyber threats continue to evolve, it is imperative for organizations using FortiClient EMS to apply necessary patches and stay vigilant against potential attacks. Regular updates and adherence to security advisories can significantly mitigate risks associated with such vulnerabilities.
