Cyber Resilience

CVE-2026-21643

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
14 April 2026
KEV Added
13 April 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9408 99.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-21643 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21643 is an SQL injection vulnerability, tracked as CWE-89, affecting Fortinet FortiClientEMS version 7.4.4. The flaw stems from improper neutralization of special elements in SQL commands and can be triggered by specifically crafted HTTP requests, carrying a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can exploit the issue without credentials or user interaction, achieving full read, write, and disruption capabilities on the affected system. The attack requires only low complexity and targets the exposed management interface directly.

Fortinet has published advisory FG-IR-25-1142, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog. A public proof-of-concept is available, and the EPSS score has reached 0.7089, indicating substantial real-world exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

CWE(s)
KEV Date Added
13 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in public-facing FortiClient EMS server enables unauthenticated remote exploitation for arbitrary code/command execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35616Same product: Fortinet Forticlientemsboth on KEV
CVE-2025-59922Same product: Fortinet Forticlientems
CVE-2025-25257Same vendor: Fortinetboth on KEV
CVE-2025-49784Same vendor: Fortinet
CVE-2023-37931Same vendor: Fortinet
CVE-2024-23106Same product: Fortinet Forticlientems
CVE-2024-54026Same vendor: Fortinet
CVE-2024-55591Same vendor: Fortinetboth on KEV
CVE-2025-24472Same vendor: Fortinetboth on KEV
CVE-2025-61848Same vendor: Fortinet

Affected Assets

fortinet
forticlientems
7.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted HTTP inputs to block specially crafted SQL elements before they reach the database.

prevent

Restricts network exposure of the FortiClientEMS management interface so unauthenticated attackers cannot reach the vulnerable SQL-handling endpoints.

detect

Enables monitoring of HTTP requests and database interactions to identify anomalous SQL patterns indicative of injection attempts.

References