People are using the Fortinet FortiClient Endpoint Management Server (EMS) flaw in the wild This article explores fortinet product security. . There are almost 1,000 public instances of EMS, which gives hackers a lot of room to attack.

Fortinet has given this problem a CVSS score of 9.1, which means it could have a very bad effect on business environments. This flaw lets attackers who don't have valid credentials take over vulnerable endpoint management servers completely. The only sure way to fix this is to upgrade to version 7.4.5, and businesses should make this update a top priority in their emergency patch management cycles. Gwendal Guégniaud of Fortinet's Product Security team found the flaw internally, and it was officially made public on February 6, 2026.

The vulnerability comes from not properly neutralizing special parts of SQL commands in the Forticlient EMS admin web interface. Because the software doesn't properly clean up user input, attackers who aren't logged in can run any code they want from a distance. This is a very appealing target for initial access brokers and ransomware affiliates because there are no authentication requirements.

Security teams need to keep an eye on their network traffic logs for strange HTTP GET requests that are going to the administrative interface. Defenders should look for strange characters or SQL commands that have been added to the Site header, especially ones that try to run time-based SQL injection functions. Fortinet says that finding these specific signs of compromise is very important for spotting attempts to get unauthorized access before they can fully take advantage of it.