Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited. Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X. Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our dataAttackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj— Defused (@DefusedCyber) March 28, 2026In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.Below are the affected versions:VersionAffectedSolutionFortiClientEMS 8.0Not affectedNot ApplicableFortiClientEMS 7.47.4.4Upgrade to 7.4.5 or aboveFortiClientEMS 7.2Not affectedNot ApplicableIn February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.Despite not yet appearing in major exploited lists, real-world attacks have already been observed.Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Fortinet)