Fortinet Patches Critical SQL Injection Flaw Enabling Unauthenticated Code Execution

Critical Vulnerability Disclosed

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.

Technical Details

According to Fortinet's advisory, "An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests."

Affected Versions

The shortcoming affects the following versions:

- FortiClientEMS 7.2 - Not affected
- FortiClientEMS 7.4.4 - Upgrade to 7.4.5 or above
- FortiClientEMS 8.0 - Not affected

Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw.

Exploitation Status

While Fortinet makes no mention of the vulnerability being exploited in the wild, it's essential that users move quickly to apply the fixes.

Related Security Issues

The development comes as the company addressed another critical severity flaw in FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb (CVE-2026-24858, CVSS score: 9.4) that allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to:

- Create local admin accounts for persistence
- Make configuration changes granting VPN access to those accounts
- Exfiltrate the firewall configurations

Source: The Hacker News: Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution