CVE-2026-21643
Published: 06 February 2026
Summary
CVE-2026-21643 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-21643 is an SQL injection vulnerability, tracked as CWE-89, affecting Fortinet FortiClientEMS version 7.4.4. The flaw stems from improper neutralization of special elements in SQL commands and can be triggered by specifically crafted HTTP requests, carrying a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can exploit the issue without credentials or user interaction, achieving full read, write, and disruption capabilities on the affected system. The attack requires only low complexity and targets the exposed management interface directly.
Fortinet has published advisory FG-IR-25-1142, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog. A public proof-of-concept is available, and the EPSS score has reached 0.7089, indicating substantial real-world exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5681
Vulnerability details
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
- CWE(s)
- KEV Date Added
- 13 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing FortiClient EMS server enables unauthenticated remote exploitation for arbitrary code/command execution, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted HTTP inputs to block specially crafted SQL elements before they reach the database.
Restricts network exposure of the FortiClientEMS management interface so unauthenticated attackers cannot reach the vulnerable SQL-handling endpoints.
Enables monitoring of HTTP requests and database interactions to identify anomalous SQL patterns indicative of injection attempts.