Particle.news
Get it on Google Play
Download on the App Store
3 ARTICLES
·
6h ago

Critical FortiClient EMS SQL Injection Reported Under Active Exploit

Wide internet exposure makes rapid upgrades to 7.4.5 critical for defenders.

Overview

  • Defused, which runs honeypots, reported Sunday that attackers began exploiting CVE-2026-21643 about four days earlier.
  • The flaw lets an unauthenticated request inject SQL through the 'Site' HTTP header in the FortiClient EMS web interface, enabling remote code or command execution.
  • The bug affects FortiClient EMS 7.4.4, and Fortinet advises upgrading to 7.4.5 or later, while branches 7.2 and 8.0 are not impacted.
  • Internet scans show many EMS consoles open to the web, with Shadowserver tracking roughly 2,000 instances and Shodan close to 1,000, largely in the U.S. and Europe.
  • Fortinet discovered the issue internally and has not confirmed in-the-wild attacks, and prior Fortinet flaws have fueled ransomware and espionage, raising the stakes for unpatched networks.