top of page

Critical FortiClientEMS Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21643)

February 10th, 2026

Critical

Our Cyber Threat Intelligence Unit is monitoring a critical vulnerability affecting Fortinet FortiClientEMS, tracked as CVE-2026-21643. The issue was disclosed by Fortinet on February 6, 2026, and was identified internally by the Fortinet Product Security team. According to NVD, the vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). The vulnerability allows a remote, unauthenticated attacker to execute code on vulnerable FortiClientEMS servers by sending specially crafted HTTP requests. Because FortiClientEMS is a centralized endpoint management platform, a successful compromise could affect a large number of managed endpoints. This activity is particularly relevant to organizations where the FortiClientEMS management interface is reachable from untrusted or internet-facing networks. 

Technical Details

  • Severity: Critical

  • CVE: CVE-2026-21643

  • CVSS v3.1 (CNA / NVD): 9.8 (Critical)

  • Affected Version: FortiClientEMS 7.4.4

  • Attack Vector:

    • The vulnerability is exploitable remotely over HTTP/HTTPS via the FortiClientEMS management interface.

    • An attacker can send specially crafted HTTP requests directly to a vulnerable EMS instance.

    • No authentication or user interaction is required.

    • Deployments where EMS is internet-facing or broadly accessible are at increased risk.

  • Exploitation Mechanics:

    • CVE-2026-21643 is caused by an SQL injection vulnerability in the FortiClientEMS web-based administrative interface.

    • Crafted HTTP parameters can manipulate database queries processed by the EMS server.

    • This manipulation allows attackers to interfere with intended query execution.

    • Under affected configurations, this behavior can result in remote code execution in the security context of the FortiClientEMS service.

  • Post-Compromise Impact:

    • Successful exploitation provides initial access to the EMS server, a privileged endpoint management system.

    • An attacker could:

      • Interact with EMS-managed endpoint configurations

      • Use the EMS server as a pivot point for lateral movement into internal networks

      • Introduce malicious software or unauthorized configuration changes

    • Due to EMS’s centralized role, compromise may extend beyond the server itself.

Image by ThisisEngineering

Impact

  • Unauthorized remote code execution on FortiClientEMS servers.

  • Compromise of a centralized endpoint management platform, significantly increasing blast radius.

  • Potential exposure, manipulation, or disruption of sensitive endpoint configuration and security data.

  • Increased risk of lateral movement within internal networks originating from the EMS server.

  • Disruption of endpoint security operations and business-critical services.

  • Elevated incident response effort, operational downtime, and potential regulatory or compliance exposure.

Detection Method

Organizations should monitor the following sources and behaviors:

  • Inbound HTTP/HTTPS requests to EMS endpoints containing anomalous parameters or malformed parameters.

  • Signs of SQL injection attempts or abnormal database query behavior.

  • Repeated database errors, unexpected query failures, or application instability.

  • Unusual child processes spawned by EMS services (e.g., command shells or scripting interpreters).

  • New or unexpected outbound connections from the EMS server to internal systems.

  • Identification of EMS instances running FortiClientEMS 7.4.4 or other affected builds.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Apply Fortinet security updates addressing CVE-2026-21643 immediately.

  • Upgrade FortiClientEMS from version 7.4.4 to 7.4.5 or later, or migrate to an unaffected supported release where appropriate.

  • Restrict access to FortiClientEMS management interfaces to trusted administrative networks only.

  • Avoid exposing EMS management services directly to the internet.

  • Enforce strong authentication controls, including multi-factor authentication where supported.

  • Monitor EMS servers closely for abnormal request patterns, process execution, and outbound network activity.

  • Validate exposure by confirming no unnecessary internet-facing access to EMS services.

Conclusion

CVE-2026-21643 poses a critical risk to organizations running vulnerable FortiClientEMS deployments due to its high severity (CVSS 9.8) and the ability to enable unauthenticated remote exploitation of a centralized endpoint management platform. We urge organizations to act immediately to remediate affected systems, validate exposure, and enhance monitoring. Prompt patching, access restriction, and heightened visibility are essential to reducing risk and protecting endpoint management infrastructure.

bottom of page