Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
Vulnerability
Summary
Hide ▲
Show ▼
Active exploitation of CVE-2026-21643 is putting Fortinet FortiClient EMS deployments at risk of unauthenticated arbitrary code or command execution on unpatched systems. The flaw is a SQL injection issue in the FortiClientEMS GUI that can be reached with malicious HTTP requests. The vulnerable release is FortiClient EMS 7.4.4, and the fix is 7.4.5 or later. Exposure data cited in the report shows nearly 1,000 public instances on Shodan and more than 2,000 exposed instances tracked by Shadowserver.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data Leak
H score93
First: 22.06.2026 11:30
Last: 22.06.2026 11:30
Sources 1
About this happening:
The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data LeakAbout this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Timeline
-
30.03.2026 10:48 2 articles · 3mo ago
First exploitation of FortiClient EMS SQL injection
Exploitation ObservedThreat actors first exploited CVE-2026-21643 against Fortinet FortiClient EMS, using SQL injection in malicious HTTP requests to the FortiClientEMS GUI to run code or commands on unpatched systems.
Show sources
- Critical Fortinet Forticlient EMS flaw now exploited in attacks — www.bleepingcomputer.com — 30.03.2026 10:48
- Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited — www.infosecurity-magazine.com — 07.04.2026 12:26
-
30.03.2026 10:48 1 articles · 3mo ago
Public disclosure of active FortiClient EMS exploitation
Initial DisclosureDefused and related exposure tracking described CVE-2026-21643 as actively exploited in Fortinet FortiClient EMS version 7.4.4, with mitigation available in version 7.4.5 or later; exposure data cited close to 1,000 publicly exposed Shodan instances and more than 2,000 FortiClient EMS web interfaces tracked by Shadowserver, including over 1,400 IPs in the United States and Europe.
Show sources
- Critical Fortinet Forticlient EMS flaw now exploited in attacks — www.bleepingcomputer.com — 30.03.2026 10:48