Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)

Vulnerability
First reported
Last updated
Happening score
H score 58
2 unique sources, 2 articles

Summary

Hide ▲

Active exploitation of CVE-2026-21643 is putting Fortinet FortiClient EMS deployments at risk of unauthenticated arbitrary code or command execution on unpatched systems. The flaw is a SQL injection issue in the FortiClientEMS GUI that can be reached with malicious HTTP requests. The vulnerable release is FortiClient EMS 7.4.4, and the fix is 7.4.5 or later. Exposure data cited in the report shows nearly 1,000 public instances on Shodan and more than 2,000 exposed instances tracked by Shadowserver.

Related Happenings

CISA KEV listing and FCEB patch order for CVE-2026-35616

Public Sector Action
First: 06.04.2026 19:02 Last: 06.04.2026 19:02 Sources 1

About this happening: **CISA** added **CVE-2026-35616** to the **KEV Catalog** and ordered **FCEB agencies** to patch **FortiClient EMS** by **Thursday midnight, April 9**. The mandate matters because...

Open Happening

FortiClient EMS improper access control flaw (CVE-2026-35616)

Vulnerability
First: 05.04.2026 21:45 Last: 05.04.2026 21:45 Sources 1

How related: CVE-2026-35616 is a critical (CVSS 9.1) improper access control vulnerability which could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

About this happening: **CVE-2026-35616** is being **actively exploited** against **FortiClient Enterprise Management Server (EMS)**, putting exposed **7.4.5 and 7.4.6** deployments at risk of remote co...

Open Happening

CISA KEV patch directive for CVE-2025-53521

Advisory/Mitigation
First: 30.03.2026 10:07 Last: 30.03.2026 10:07 Sources 1

About this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

FortiGate exposed management interface exploitation wave

Exploitation Wave
First: 21.02.2026 16:49 Last: 21.02.2026 16:49 Sources 1

About this happening: **FortiGate** management interfaces were hit by an **automated exploitation wave** that abused **internet-exposed ports** and **commonly reused credentials** to compromise **600+...

Open Happening

Timeline

  1. 30.03.2026 10:48 2 articles · 1mo ago

    First exploitation of FortiClient EMS SQL injection

    Exploitation Observed

    Threat actors first exploited CVE-2026-21643 against Fortinet FortiClient EMS, using SQL injection in malicious HTTP requests to the FortiClientEMS GUI to run code or commands on unpatched systems.

    Show sources
    Open in new tab
  2. 30.03.2026 10:48 1 articles · 1mo ago

    Public disclosure of active FortiClient EMS exploitation

    Initial Disclosure

    Defused and related exposure tracking described CVE-2026-21643 as actively exploited in Fortinet FortiClient EMS version 7.4.4, with mitigation available in version 7.4.5 or later; exposure data cited close to 1,000 publicly exposed Shodan instances and more than 2,000 FortiClient EMS web interfaces tracked by Shadowserver, including over 1,400 IPs in the United States and Europe.

    Show sources
    Open in new tab