The security community is on the alert after confirmation of the active exploitation of critical vulnerability on the endpoints management platform of Fortinet, FortiClient EMS. Identified as CVE-2026-21643, it is a SQL injection that, in unpatched systems, allows malicious actors to run commands or code remotely with a low level of complexity.
Researchers of the Defused intelligence firm publicly alerted to the first attempts at exploitation, explaining that the attackers introduce malicious SQL instructions into the "Site" header of HTTP requests addressed to the FortiClient EMS web interface. You can see your warning directly in your online public release Here.. This vector is particularly dangerous because it does not require prior authentication to try to exploit the failure.
Fortinet internally detected the failure and attributed it to a specific version of the product: the facilities with FortiClient EMS 7.4.4 are those affected. The technical mitigation recommended by the manufacturer itself is to update to version 7.4.5 or higher; the official safety note is available on the FortiGuard portal de Fortinet. Meanwhile, some press reports tried to confirm with the company the holdings observed, without any immediate response.
The potential scope of the problem is increased by the Internet exposure of many EMS servers. The Shadowserver surveillance group tracks over 2,000 FortiClient EMS instances with the Internet-accessible web interface, largely spread between the United States and Europe; its public follow-up panel is located Here.. An additional tracking with Shodan returns hundreds or thousands of publicly identifiable instances, which facilitates the work of actors seeking vulnerable objectives ( Search in Shodan).
This episode fits a known pattern: the weaknesses in Fortinet products have been the usual target of Ransomware campaigns and espionage operations, often exploited very quickly. The US Agency for Infrastructure and Cybersecurity. USA (CISA) has previously identified Fortinet vulnerabilities as exploited in practice and has ordered urgent patches for federal environments on previous occasions; you can see the catalogue of vulnerabilities known to CISA in this link, and historical searches on failures related to FortiClient EMS in particular Here..
If you administer FortiClient EMS, the recommendation is not only theoretical: it acts immediately. First, make the update to the secure version (7.4.5 or higher) as soon as possible. In parallel, if you cannot park immediately, it limits access to the management interface: it blocks direct traffic from the Internet, forces access by VPN or by access control lists that allow only reliable management PIs, and considers submitting a WAF or perimeter inspection rules that filter suspicious requests to the HTTP header using the explosion.
In addition to the patch and access containment, it is appropriate to start detection and response work: review the web interface and server records to search for abnormal requests that include data in the "Site" header, search for unusual activity in databases or EMS server processes, and expand monitoring with EDR / IDS to detect unauthorised command execution. If there are signs of commitment, isolate the instance, perform forensic analysis and restore systems from clean copies; do not forget to change administrative credentials and rotate credentials from exposed services.
Finally, note that speed is key. Management vulnerabilities, by their nature, allow rapid side movements within corporate networks and facilitate the delivery of harmful loads such as ansomware. If your organization uses FortiClient EMS, treat this alert as a priority and coordinate patch, access restrictions and detection activities without delay. For technical information and official updates see the CVE tab in the NVD Here., the public notice of Fortinet in FortiGuard Here. and the following reports of exhibitions in Shadowserver and Shodan mentioned above.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...