Fortinet is once again under scrutiny after security researchers uncovered active exploitation of a critical vulnerability affecting its FortiClient Endpoint Management Server (EMS). The flaw, identified as CVE-2026-21643, enables attackers to execute remote code and extract sensitive data, putting thousands of internet-facing systems at serious risk.
According to findings from Defused Cyber, threat actors have recently abused this vulnerability using low-complexity attack methods. Specifically, attackers can send specially crafted HTTP requests to exploit the SQL injection flaw without requiring authentication. As a result, unpatched systems become highly vulnerable to unauthorized access and control.
Notably, this issue represents a growing concern for Fortinet, which serves over 900,000 customers worldwide. Experts warn that repeated vulnerabilities of this nature indicate a broader security challenge.
“This is Fortinet’s seventh SQL CVE over the past 12 months, and that’s frankly seven too many,” said David Shipley of Beauceron Security.
The FortiClient EMS platform plays a crucial role in managing, monitoring, and deploying endpoint security agents across enterprise environments. However, the vulnerability affects version 7.4.4 when multi-tenant mode is enabled, leaving organizations exposed unless they upgrade to version 7.4.5 or later. Despite the severity, Fortinet has yet to update its advisory to reflect active exploitation at the time of reporting.
Furthermore, cybersecurity researchers from Bishop Fox revealed that attackers can exploit the flaw with minimal effort. By injecting malicious SQL commands through a single HTTP request header, attackers can gain direct access to the backend PostgreSQL database.
“This gives attackers access to admin credentials, endpoint inventory data, security policies, and certificates for managed endpoints,” the researchers wrote.
Alarmingly, the system does not enforce lockout protections and exposes database error messages, making it easier for attackers to extract valuable information quickly. Meanwhile, the Shadowserver Foundation has identified over 2,400 exposed EMS instances globally, with a significant concentration in the United States and Europe. Additionally, Shodan has reported around 1,000 publicly accessible instances.
Security experts emphasize that SQL injection remains one of the most persistent and dangerous application security risks. Despite being identified decades ago, it continues to pose a significant threat due to inadequate input validation and weak security controls.
“You don’t want these kinds of bugs to lead to remote code execution, [but] in multi-site setups of this service, that’s what you can get,” said Shipley.
Victor Okorie from Info-Tech Research Group further stressed the severity of such vulnerabilities, noting that attackers can easily bypass authentication, steal credentials, and move laterally within networks.
“The bad actor’s playbook consists of ‘get in,’ ‘take control,’ and ‘profit,’ and this is something we should always remember when reviewing vulnerabilities being exploited in the wild,” said Okorie.
Given the increasing frequency of attacks targeting Fortinet products, experts strongly recommend adopting a Zero Trust approach. Organizations should immediately assess whether their EMS systems are exposed to the internet and restrict access through secure gateways.
Overall, this incident reinforces the urgent need for proactive cybersecurity strategies, timely patching, and stronger defenses to mitigate evolving threats.
Recommended Cyber Technology News:
- Absolute Security Introduces Agentic AI for Cyber Resilience
- ClawSecure Launches Unified Security for OpenClaw Agents
- Bolster AI Launches Brand Guardian to Fight AI-Driven Fraud
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
