CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-21643

CVSS 9.8v3.1pub. 2026-02-06upd. 2026-04-16

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters in SQL queries (CWE-89). The attacker sends specially crafted HTTP requests containing malicious data injected directly into SQL commands executed by the application. The lack of proper validation and sanitization of input data allows manipulation of database query logic, and consequently execution of unauthorized operations or server-side code.

Impact

An unauthenticated attacker can execute arbitrary code or system commands on the vulnerable server, which in practice means complete takeover of the FortiClientEMS client management system, data disclosure or modification, and potential lateral movement within the internal network.

Mitigation & patch

Apply patches available from the vendor in accordance with references published by Fortinet (FG-IR-25-1142) at https://fortiguard.fortinet.com/psirt/FG-IR-25-1142. Due to active exploitation of the vulnerability in production environments, the update should be performed immediately. Until the patch is deployed, it is recommended to restrict access to the FortiClientEMS interface exclusively to trusted networks.

Who is affected

Fortinet FortiClientEMS version 7.4.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortinet Forticlientems

    APP
    Fortinet
    7.4.4

CISA KEV — detailsi

Vendori
Fortinet
Producti
FortiClient EMS
Added to KEVi
April 13, 2026
Remediation deadline (US Federal)i
April 16, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 16 kwietnia 2026
Tags
SQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-35616CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet FortiClientEMS — nieuwierzytelnione wykonanie kodu (Auth Bypass)

CVE-2025-59922HIGH7.2ten sam produkt

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89]...

CVE-2024-23106HIGH8.1ten sam produkt

An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through...

CVE-2026-39809MEDIUM6.7ten sam produkt

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortin...

CVE-2026-39810MEDIUM6.0ten sam produkt

A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow a...