CVE-2026-21643: FortiClientEMS SQL Injection Vulnerability
Summary
CISA has added CVE-2026-21643 to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a SQL injection flaw in Fortinet FortiClientEMS 7.4.4 allowing unauthenticated remote code execution via crafted HTTP requests. Exploitation is confirmed active, automatable, and achieving total technical impact. CVSS score is 9.1 (CRITICAL). Federal agencies are subject to remediation requirements under Binding Operational Directive 22-01.
What changed
CISA added CVE-2026-21643 to the KEV catalog on April 14, 2026. The vulnerability affects FortiClientEMS version 7.4.4 and allows unauthenticated attackers to execute unauthorized code or commands via specially crafted HTTP requests through improper SQL command neutralization (CWE-89). The CVSS 3.1 score is 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. SSVC classification confirms active exploitation, automatable attack path, and total technical impact.
Organizations using FortiClientEMS must immediately patch to the latest available version per Fortinet's FG-IR-25-1142 advisory. Federal agencies face mandatory remediation timelines under BOD 22-01 requirements for KEV catalog entries. Given active exploitation status and critical severity, this vulnerability should be treated as an emergency patch priority. All network segments accessing FortiClientEMS management interfaces should be reviewed for anomalous activity.
What to do next
- Apply Fortinet patch FG-IR-25-1142 immediately
- Verify FortiClientEMS installations for version 7.4.4 or earlier
- Monitor CISA KEV catalog for related updates
Archived snapshot
Apr 14, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Fortinet, Inc.
Description
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CWE 1 Total
Learn more
- CWE-89: Execute unauthorized code or commands
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.1 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Product Status
Learn more Versions 1 Total
Default Status: unaffected
affected
- affected at 7.4.4
References 1 Total
Authorized Data Publishers
CISA-ADP
Updated:
2026-04-14
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-02-06 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643 (2026-04-13)
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.