A critical FortiClientEMS vulnerability allows attackers to remotely execute malicious code.

FortiClientEMS RCE Vulnerability In a critical security advisory, Fortinet cautions administrators to patch FortiClientEMS, its endpoint protection central management solution, right away. With a CVSSv3 score of 9.1, the vulnerability, known as CVE-2026-21643, may enable remote, unauthenticated attackers to run arbitrary code or unapproved commands on compromised servers. Formally defined as a "improper neutralization of special elements used in a SQL Command," the vulnerability falls under the category of SQL Injection (SQLi) vulnerabilities (CWE-89).

It is specifically found in the software's Graphical User Interface (GUI) component. An attacker can send specially constructed HTTP requests to manipulate database queries because input sanitization is inadequate. The attacker gains control of the underlying system without requiring legitimate credentials thanks to this effective circumvention of authentication barriers.

Given that FortiClientEMS is usually the main hub for managing antivirus deployments, endpoint security policies, and compliance reporting throughout an organization's network, this is especially risky for enterprise environments. A successful compromise here might enable the deployment of ransomware or act as a beachhead for lateral movement into the larger network. Versions Affected The Fortinet advisory states that the vulnerability affects particular 7.4 branch versions.

It is recommended that administrators using FortiClientEMS 7.4.4 update right away. The following is the official remediation path: Update to at least FortiClientEMS 7.4.5. Fortinet has verified that this particular defect does not affect versions in the 8.0 and 7.2 branches.

Furthermore, a February 6, 2026, timeline update made it clear that FortiEMS Cloud instances are likewise unaffected, allaying SaaS customers' immediate concerns. There is currently no proof of exploitation in the wild at the time of publication, as the vulnerability was found internally by Gwendal Guégniaud of the Fortinet Product Security team. Nonetheless, threat actors are likely to reverse-engineer the patch due to its high severity score (9.1) and low exploitation complexity (CVSS vector AV:N/AC:L/PR:N).

The CVSS calculation rates the CIA triad—Confidentiality, Integrity, and Availability—as having a "High" impact, and the vulnerability permits a total compromise of these three elements.

Until the patch is applied, security teams are encouraged to isolate management interfaces from the public internet and check their logs for any suspicious HTTP requests directed at the EMS GUI. X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.