Key Findings

• A critical SQL injection vulnerability (CVE-2026-21643) with a CVSS score of 9.1 has been discovered in Fortinet's FortiClient Enterprise Management Server (EMS)

• The flaw allows unauthenticated remote code execution, enabling attackers to take full control of the management server without any credentials

• The vulnerability is caused by improper sanitization of user input, allowing malicious SQL commands to be injected and executed

• The vulnerability affects FortiClient EMS version 7.4.4, while versions 7.2 and 8.0 are not affected

• Fortinet has released a fix, and customers on the affected version are urged to upgrade to 7.4.5 or above immediately

Background

Fortinet is a leading provider of cybersecurity solutions, including the FortiClient Enterprise Management Server (EMS) platform. FortiClient EMS is used by organizations to centrally manage and deploy endpoint protection across their networks. The discovery of this critical vulnerability in the heart of Fortinet's endpoint security management solution is particularly concerning, as it could potentially allow attackers to compromise the very systems designed to protect an organization's endpoints.

Technical Details

The vulnerability, tracked as CVE-2026-21643, is caused by improper neutralization of special elements used in an SQL command (SQL injection). Specifically, the FortiClient EMS application fails to properly sanitize user input, leaving the door open for an attacker to inject malicious SQL code.

By crafting a specially designed HTTP request, an unauthenticated attacker can trick the database into executing arbitrary commands on the server. This "pre-authentication" access is particularly dangerous, as the attacker does not need to steal any credentials or phish an employee to launch the attack.

Successful exploitation of this vulnerability could allow the attacker to execute unauthorized code or commands on the FortiClient EMS server, effectively giving them full control over the system and the ability to potentially spread to other parts of the network.

Affected Versions and Patch Information

The vulnerability is specific to the following FortiClient EMS versions:

• FortiClient EMS 7.4: Version 7.4.4 is affected

• FortiClient EMS 8.0: This branch is "Not affected"

• FortiClient EMS 7.2: This branch is also "Not affected"

Fortinet has released a fix for the vulnerability, and administrators running the affected version 7.4.4 are urged to upgrade to 7.4.5 or a later version immediately to close the security hole.

Conclusion

The discovery of this critical SQL injection vulnerability in Fortinet's FortiClient EMS, with a CVSS score of 9.1, is a serious concern for organizations relying on this platform to manage their endpoint security. The ability for unauthenticated attackers to gain full control of the management server is a severe risk that must be addressed promptly. IT administrators should verify their FortiClient EMS versions and apply the necessary patch to protect their networks from potential compromise.

Sources

• https://securityonline.info/endpoint-exposed-critical-forticlient-ems-flaw-cvss-9-1-allows-unauthenticated-rce/

• https://securityonline.info/cve-2026-1731-critical-beyondtrust-flaw-cvss-9-9-allows-pre-auth-rce/

• https://securityonline.info/critical-rce-flaws-cvss-9-3-exposed-in-lexmark-printers/