Critical Flaw Identified in Fortinet Product ‘FortiClientEMS’; Security Updates Released
Fortinet released security updates for CVE-2026-2164
Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw is classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests.
Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.
Technical Details
With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management.
The flaws affect the following versions –
- FortiClientEMS 7.2 (Not affected)
- FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
- FortiClientEMS 8.0 (Not affected)
The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface.
Reason for the flaw or vulnerability to appear is caused by improper neutralization of user-supplied input in SQL queries. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI.
This resulted in the execution of arbitrary SQL statements, leading to unauthorized access, data exfiltration, privilege escalation and remote code execution (RCE) on any primary system.
Remediation
Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system.
- In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts.
- Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface.
- Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise.
- Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.
There is currently no evidence of exploitation in the wild but the flaw has been termed a high-priority issue for all organizations using the affected product version, reason the attack surface is vulnerable.
Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.
Conclusion:
The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.
In the past similar Fortinet SQL injection and remote code execution vulnerabilities were found in Fortinet products and was targeted by cybercriminals and state-sponsored actors for financial benefits.
