INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Fortinet FortiClient EMS Exploit Vulnerability Critical

| 2026-03-30 10:43 CRITICAL HIGH
JSON
Executive Summary AI-generated
Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection. The vulnerability, tracked as 9.1 on the CVSS scale, has been actively exploited since March 30th and is now being used to smuggle SQL statements through the "Site" header in HTTP requests. This could enable attackers to gain an initial foothold in a target network, allowing lateral movement or malware deployment. The vulnerability affects FortiClient EMS versions 7.4 and above, with affected software identified as FortinetFortiClientEMS 8.0 not being impacted but rather upgraded to version 7.4.5 or higher.
Technical Mitigations AI-generated
* Upgrade to FortiClientEMS 7.4.5 or later: This is the recommended solution to patch the vulnerability and prevent exploitation. * Use a web application firewall (WAF): Implementing a WAF can help block malicious traffic and reduce the risk of successful attacks. * Implement network segmentation: Segmenting your network into smaller, isolated areas can make it more difficult for attackers to spread their malware or exploit vulnerabilities in FortiClient EMS. * Use secure protocols: Ensure that all communication between devices is encrypted using HTTPS (Hypertext Transfer Protocol Secure) and other secure protocols.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Salt TyphoonSalt Typhoon CVE-2023-48788CVE-2023-48788 CVE-2026-24858CVE-2026-24858 CVE-2026-21643CVE-2026-21643
Target & Sectors
EUROPE EUROPE NORTH_AMERICA NORTH_AMERICA
Incident Timeline
March 2024
Threat actors exploited a FortiClient EMS SQL injection vulnerability tracked as CVE-2023-48788 to breach telecommunications service providers.
attribution Known Exploited
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788 , to its  Known Exploited Vulnerabilities (KEV) catalog .
tactic T1588.006 - Vulnerabilities
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788 , to its  Known Exploited Vulnerabilities (KEV) catalog .
attribution KEV
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788 , to its  Known Exploited Vulnerabilities (KEV) catalog .
attribution CVE-2023-48788
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788 , to its  Known Exploited Vulnerabilities (KEV) catalog .
tactic Ransomware
Two years ago, in March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers .
threat_actor Salt Typhoon
Two years ago, in March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers .
source_region China
Two years ago, in March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch another FortiClient EMS SQL injection vulnerability that had been exploited in ransomware attacks and by Salt Typhoon, a Chinese state-sponsored hacking group, to breach telecommunications service providers .
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Fortinet)
2026-03-26
Threat actors exploited CVE-2026-21643 in Fortinet Forticlient EMS to execute remote code.
vulnerability CVE-2026-21643
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
"Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend.
attribution Fortinet Forticlient EMS CVE-2026-21643
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
"Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend.
attribution Known Exploited
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
"Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend.
tactic T1588.006 - Vulnerabilities
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
"Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend.
attribution KEV
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
"Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend.
attribution Forticlient EMS
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
general_metric 1000 instances
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.”
2026-03-30
Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
organisation Critical Fortinet FortiClient EMS
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution.
Critical Fortinet Forticlient EMS flaw now exploited in attacks.
organisation Fortinet FortiClient EMS
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
organisation SQL
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
Tracked as CVE-2026-21643 , this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests.
organisation FortiClient EMS
According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.
" The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
infrastructure 8.0
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
infrastructure 7.4
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
infrastructure 7.4.4
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
" The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
infrastructure 7.4.5
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
" The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
infrastructure 7.2
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
financial 683 Europe
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
organisation Shadowserver
Internet security watchdog group Shadowserver is currently  tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
victims 2,000 FortiClient EMS
Internet security watchdog group Shadowserver is currently  tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
infrastructure 1,400 IPs
Internet security watchdog group Shadowserver is currently  tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
organisation Fortinet’s FortiClient EMS
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
organisation an SQL Command
The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS.
organisation Shodan
FortiClient EMS exposed online (Shadowserver) A separate Shodan search shows more than FortiClient EMS, with most exposed instances in the United States.
organisation FortiCloud SSO
Most recently, Fortinet mitigated CVE-2026-24858 zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.
organisation Fortinet
Fortinet has yet to update its security advisory and flag the vulnerability as exploited in the wild.
Tactical Metrics
Metrics
infrastructure
​8.0
Software Version
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Metrics
infrastructure
​7.4
Software Version
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Metrics
infrastructure
​7.4.4
Software Version
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
" The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
Metrics
infrastructure
​7.4.5
Software Version
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
" The vulnerability, discovered internally by Gwendal Guégniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.
Metrics
infrastructure
​7.2
Software Version
Below are the affected versions: Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Metrics
financial
683
Europe
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
Metrics
victims
2,000
Forticlient Ems
Internet security watchdog group Shadowserver is currently  tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
Metrics
infrastructure
1,400
Ips
Internet security watchdog group Shadowserver is currently  tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.
Intelligence Sources
BleepingComputer 2026-03-30
Security Affairs 2026-03-30