CVE-2026-21643
Published: 06 February 2026
Summary
CVE-2026-21643 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-21643 by requiring timely patching of the SQL injection flaw in FortiClientEMS 7.4.4 to prevent unauthorized code execution.
Prevents SQL injection exploitation by validating and sanitizing specially crafted HTTP request inputs used in SQL commands within FortiClientEMS.
Boundary protection with web application firewalls can filter and block malicious HTTP requests targeting the SQL injection vulnerability in FortiClientEMS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing FortiClient EMS server enables unauthenticated remote exploitation for arbitrary code/command execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Deeper analysisAI
CVE-2026-21643 is an SQL injection vulnerability (CWE-89) in Fortinet FortiClientEMS version 7.4.4, stemming from improper neutralization of special elements used in an SQL command. Published on 2026-02-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthenticated attacker with network access can exploit the vulnerability via specially crafted HTTP requests, requiring low complexity and no privileges or user interaction. Exploitation may allow execution of unauthorized code or commands, resulting in high confidentiality, integrity, and availability impacts on the affected FortiClientEMS instance.
Fortinet's PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 details the issue. A proof-of-concept exploit script is available at https://github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py. The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643, indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 13 April 2026