Fortinet has released fixes for a critical SQL injection vulnerability in FortiClient Endpoint Management Server (FortiClientEMS) that it says could allow an unauthenticated attacker to execute “unauthorized code or commands” using specially crafted HTTP requests.
The issue is tracked as CVE-2026-21643 and mapped to CWE-89 (SQL injection).
Fortinet is a U.S.-based cybersecurity vendor that sells network security and endpoint products to enterprises, service providers and government organizations.
In its most recent SEC filing that discloses customer penetration, Fortinet said that it had approximately 80% of the Fortune 100 and approximately 72% of the Global 2000 as customers.
FortiClient Endpoint Management Server, or FortiClientEMS, is the company’s centralized server platform for administering endpoints running FortiClient, giving security teams a single place to manage those endpoint agents and see endpoint status.
In simple terms, SQL injection can occur when a web application does not properly neutralize input before it is used to build a database query, which can let an attacker alter the intended query.
Fortinet’s CVE record lists a CVSS v3.1 base score of 9.1 and identifies FortiClientEMS 7.4.4 as affected. It also lists upgrades to 7.4.5 or later as a fix and references an upgrade path to 8.0.0 or later.
The NVD entry repeats the unauthenticated SQL injection description and shows a different CNA score value for the same vector, reflecting an ongoing enrichment process.
For enterprise teams, the common signal across both records is the combination of network attack vector, no privileges required and no user interaction, which generally pushes issues to the front of patch queues when the vulnerable interface is reachable from untrusted networks.
What’s affected and what Fortinet says to do
Fortinet’s CVE publication identifies the impacted build as FortiClientEMS 7.4.4 and points to upgrades as the remediation path.
Fortinet’s published materials for CVE-2026-21643 focus on upgrading to fixed versions and do not list specific workarounds in the advisory itself.
Why this lands differently after FortiCloud SSO abuse
The FortiClientEMS fix follows Fortinet’s January disclosure of CVE-2026-24858, an authentication bypass tied to FortiCloud SSO that affects multiple Fortinet products when FortiCloud SSO authentication is enabled.
NVD describes a scenario where an attacker with a FortiCloud account and a registered device could log into devices registered to other accounts under certain configurations.
In a PSIRT blog post about that incident, Fortinet said it disabled FortiCloud accounts that were being abused, then disabled FortiCloud SSO and later re-enabled it with restrictions tied to patched versions.
Fortinet described those steps as a response to observed abuse and a way to limit further exploitation through the cloud-linked authentication path.
Taken together, the two disclosures keep attention on management-plane exposure and identity paths tied to centralized services. One issue is a classic input-handling weakness in an administrative interface.
The other is a cloud-linked authentication control that Fortinet said was abused. The two disclosures focus on management-plane and identity-path vulnerabilities in centralized services.
Neither the NVD entry nor Fortinet’s published CVE record includes technical exploit details such as the exact injection vector, affected endpoint paths or post-exploitation behavior.