An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
The vulnerability results from improper neutralization of special characters in SQL queries (CWE-89). The attacker sends specially crafted HTTP requests containing malicious data injected directly into SQL commands executed by the application. The lack of proper validation and sanitization of input data allows manipulation of database query logic, and consequently execution of unauthorized operations or server-side code.
An unauthenticated attacker can execute arbitrary code or system commands on the vulnerable server, which in practice means complete takeover of the FortiClientEMS client management system, data disclosure or modification, and potential lateral movement within the internal network.
Apply patches available from the vendor in accordance with references published by Fortinet (FG-IR-25-1142) at https://fortiguard.fortinet.com/psirt/FG-IR-25-1142. Due to active exploitation of the vulnerability in production environments, the update should be performed immediately. Until the patch is deployed, it is recommended to restrict access to the FortiClientEMS interface exclusively to trusted networks.
Fortinet FortiClientEMS version 7.4.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Forticlientems
APPFortinet7.4.4
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- FortiClient EMS
- Added to KEVi
- April 13, 2026
- Remediation deadline (US Federal)i
- April 16, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Related vulnerabilities
Fortinet FortiClientEMS — nieuwierzytelnione wykonanie kodu (Auth Bypass)
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89]...
An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through...
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortin...
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow a...