Critical unauthenticated SQL injection vulnerability in Fortinet FortiClient EMS 7.4.4 allows remote code execution via HTTP requests. This vulnerability is actively being exploited in the wild and has been added to CISA's KEV catalog.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-02-06
Added to CISA KEV: 2026-04-13 66 DAYS BETWEEN CVE AND KEV
Two vulnerabilities, CVE-2026-35616 and CVE-2026-21643, both classified as unauthenticated RCE flaws, were exploited in the wild, affecting Fortinet’s FortiClient EMS platform.Apply patches released by Fortinet addressing CVE-2026-35616 and CVE-2026-21643 without delay. Restrict internet-facing access to the EMS management interface using firewall rules or VPN-gated access. Review logs for anomalous activity, unauthorized configuration changes, or unexpected outbound connections.
An attacker exploiting CVE-2026-35616 may execute unauthorized code or commands through maliciously crafted HTTP requests.Active exploitation of CVE-2026-21643 (CVSS 9.8) was acknowledged in Fortinet’s security advisory (FG-IR-26-099) on April 4th. Defused Cyber is credited with detection of zero-day active attacks and responsible disclosure to the vendor.
A critical SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-21643, is actively being exploited in the wild. Threat actors have been leveraging this flaw in attacks starting four days ago, despite it not yet appearing on the CISA Known Exploited Vulnerabilities catalog. The security flaw affects FortiClient EMS version 7.4.4, leaving ...
Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin (s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.