A critical SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) is being actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw — tracked as CVE-2026-21643 — to its Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026. Federal civilian agencies have been ordered to patch their systems by today, April 16, 2026, and private sector organizations are urged to follow with equal urgency.
Vulnerability Overview: No Authentication Required
CVE-2026-21643 is a pre-authentication SQL injection vulnerability affecting Fortinet FortiClient EMS version 7.4.4 — the centralized management server used by enterprise and government organizations to manage FortiClient endpoint security agents deployed across their networks.
The flaw carries a CVSS score of 9.1 (Critical) and stems from improper neutralization of special elements used in an SQL command. What makes this vulnerability particularly dangerous is that exploitation requires absolutely no user authentication: an attacker on the network can inject malicious SQL via a specially crafted HTTP Site header, potentially gaining the ability to execute unauthorized code or administrative commands on the EMS server.
Security researchers at Bishop Fox and Horizon3.ai published detailed analysis of the vulnerability, confirming that a working exploit is both technically feasible and now being used in active attacks against real-world targets.
Who Is Being Targeted?
FortiClient EMS is widely deployed in enterprise environments, government agencies, financial institutions, and critical infrastructure sectors. The management server typically has elevated network privileges, making it a high-value target for attackers seeking to pivot laterally across a victim’s environment.
Researchers at The Cyber Express and Help Net Security reported that exploitation has been confirmed against multiple organizations, though specific victim details have not been publicly disclosed. The breadth of FortiClient EMS deployments globally means the attack surface is substantial.
CISA’s Response and Patching Deadline
CISA’s addition of CVE-2026-21643 to the KEV catalog on April 13, 2026, triggers mandatory action requirements under Binding Operational Directive (BOD) 22-01. All Federal Civilian Executive Branch (FCEB) agencies must apply the available patch by April 16, 2026 — an aggressive three-day window that reflects the severity of the active exploitation.
The fix is straightforward: administrators must upgrade to FortiClient EMS version 7.4.5 or above, which contains the patch for this vulnerability. Fortinet published the advisory alongside the CISA notification.
Part of a Broader CISA Alert
CVE-2026-21643 was one of six vulnerabilities added to the KEV catalog in CISA’s April 14 advisory, which also included actively exploited flaws in Microsoft and Adobe products. The combined alert underscores what security experts describe as a surge in opportunistic exploitation of enterprise software vulnerabilities during the spring 2026 period.
The other notable additions included older-vintage vulnerabilities in Microsoft Exchange Server and the Windows Common Log File System Driver — a reminder that threat actors routinely exploit unpatched legacy flaws alongside newer zero-days when they prove effective.
Context: A Series of Critical Fortinet Vulnerabilities
CVE-2026-21643 adds to a troubling pattern of critical vulnerabilities in Fortinet products being weaponized by threat actors. Fortinet devices — including FortiGate firewalls, FortiOS, and now FortiClient EMS — have featured prominently in CISA KEV catalog additions in recent years, making them a recurring source of risk for organizations that rely on Fortinet’s product suite.
Security professionals have previously warned that the combination of Fortinet’s broad enterprise market penetration and the privileged network positions occupied by its products makes discovered vulnerabilities particularly attractive to both nation-state actors and financially motivated cybercriminals.
Immediate Recommended Actions
Organizations running FortiClient EMS should take the following steps without delay:
- Upgrade immediately to FortiClient EMS 7.4.5 or later
- Audit network access to the EMS server and restrict it to authorized management networks only
- Review EMS server logs for evidence of suspicious SQL injection attempts via the HTTP Site header
- Check for indicators of compromise including unexpected administrative accounts, unusual scheduled tasks, or lateral movement from the EMS server
- Apply network segmentation to limit the blast radius if the EMS server has already been compromised
Given CISA’s confirmed exploitation evidence, organizations should treat this as an active incident response priority rather than a routine patch cycle item.