Fortinet, FortiClient EMS, CVE-2026-21643, CISA KEV, Active Exploitation, Public PoC
Source Material: CISA, NVD | Technology: Fortinet FortiClient EMS | Targeted Industries: All
Executive Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding CVE-2026-21643, a critical SQL injection vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS). On April 13, 2026, CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and a publicly available proof of concept (PoC) has been shared. This unauthenticated vulnerability allows threat actors to execute unauthorized code via specially crafted HTTP requests, potentially granting them full control over the central management hub and exposing connected corporate networks. Immediate patching or mitigation is highly recommended.
Threat Overview and Strategic Impact
Tracked as CVE-2026-21643, this flaw is categorized as an improper neutralization of special elements used in an SQL command (CWE-89). It occurs when the FortiClient EMS application fails to safely filter user input before processing database queries. The primary danger of this vulnerability is that it requires absolutely no user authentication. Malicious actors can send specifically crafted HTTP requests to an internet-exposed FortiClient EMS server to inject malicious SQL commands. A successful exploit can lead to unauthenticated remote code execution (RCE) or administrative command execution.
Because FortiClient EMS controls security policies across connected employee devices, compromising this central hub can expose an entire corporate network. Attackers can leverage this access to breach sensitive databases, modify critical configuration files, or deploy secondary malware payloads. While specific attribution to ransomware groups is currently unconfirmed, vulnerabilities providing unauthenticated RCE are highly sought after by initial access brokers.
Security Hardening and Recommendations
Due to the active threat landscape and publicly available PoC, swift remediation is critical.
- Apply Patches Immediately: Install the latest official security updates and patches provided directly by Fortinet.
- Monitor Network Traffic: Actively monitor network traffic and logs for unusual HTTP requests or anomalies targeting the FortiClient EMS infrastructure.
- Isolate Vulnerable Systems: If immediate patching is not possible, take the vulnerable FortiClient EMS system offline immediately.
- Implement Cloud Security Practices: Ensure recommended cloud service security practices are in place if hosting the management server externally.
- Proactive Threat Hunting: Review environments to identify potential breaches that may have occurred prior to public disclosure, as SQL injection attacks can result in rapid database compromise.
Detection Strategy
Security teams should prioritize monitoring for suspicious HTTP traffic patterns, unexpected database query executions, and unauthorized administrative commands originating from or targeting internet-facing FortiClient EMS instances.
How Deepwatch Protects Our Customers
Deepwatch Adversary Tactics and Intelligence (ATI) and Detection Engineering teams are actively reviewing this threat to evaluate relevant hunting and detection opportunities within customer environments. ATI is also monitoring for IoCs and PoCs to further enhance our detection capabilities.
Threat Hunting Leads
- Suspicious API Endpoint Activity: Hunt for an anomalous volume of HTTP requests, particularly those resulting in 500 Internal Server Error codes, targeting the /api/v1/init_consts endpoint on internet-facing FortiClient EMS servers.
- Malicious Header Payloads: Review web server and WAF logs for unusual, malformed, or highly suspicious SQL syntax (e.g., UNION SELECT, CAST, pg_sleep) embedded within the Site HTTP header of requests directed at the EMS instance.
- Anomalous Database Queries: Monitor the backend PostgreSQL database for unexpected or unauthorized queries originating from the FortiClient EMS application, particularly commands attempting to read system files, create new administrative users, or execute shell commands.
- Post-Exploitation Process Execution: Hunt for suspicious child processes or unexpected command-line activity (e.g., cmd.exe, powershell.exe, bash) spawning directly from the FortiClient EMS worker processes or the PostgreSQL database service, which strongly indicates successful remote code execution.
Technical Artifacts
Specific Indicators of Compromise (IoCs) such as attacker IPs or file hashes have not been widely published at this time. Defenders should rely on behavioral analytics and network monitoring focused on anomalous HTTP and SQL request behaviors tied to the EMS infrastructure.
Threat Object Mapping
Intrusion Set:
- This activity is not attributed to a specific intrusion set at this time.
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Threat actors exploit CVE-2026-21643 by sending specially crafted HTTP requests to an internet-exposed FortiClient EMS server to inject malicious SQL commands without authentication. |
| Execution | Command and Scripting Interpreter | T1059 | Following a successful SQL injection, attackers execute unauthorized code or administrative commands remotely on the compromised host. |
Vulnerability:
- CVE-2026-21643
Malware/Tool:
- A working Python exploit script has been published on GitHub (hxxps://github[.]com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py).
Additional Sources
- CISA Warns of Fortinet SQL Injection Flaw Actively Exploited in Attacks
- CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in Attacks
Share