CVE-2026-21643 is a critical vulnerability affecting
Fortinet's FortiClient Endpoint Management Server (EMS), specifically version 7.4.4
[3]. It has been
actively exploited in the wild [2][3].
Here's a breakdown of what is known about its exploitation:
- Internet-facing applications or services: The vulnerability affects FortiClient EMS, which can be exposed to the internet, making it a potential target for external attackers [1].
- Evidence of active exploitation: There is clear evidence that this vulnerability is being exploited in the wild, with threat actors leveraging it in attacks [2][3]. Defused Cyber is credited with detecting zero-day active attacks [2].
- Attack vectors and exploitation methods: CVE-2026-21643 is classified as an unauthenticated RCE (Remote Code Execution) flaw [1]. It is described as a SQL injection vulnerability [3]. Successful exploitation may lead to remote code execution, allowing attackers to exfiltrate usernames and hashed passwords for local device administrators, portal administrators, and user accounts used for remote access [4].
- Targeted attacks: While the provided information confirms active exploitation, it does not explicitly state whether these attacks have been used in targeted campaigns against specific organizations.
- CISA Known Exploited Vulnerabilities (KEV) status: As of April 6, 2026, CISA added CVE-2026-21643 to its Known Exploited Vulnerabilities (KEV) Catalog [5]. This addition is based on evidence of active exploitation [5]. Organizations are advised to use the KEV catalog for vulnerability prioritization [7].
- Technical details about internet exploitability: The vulnerability allows for unauthorized code or commands to be executed through maliciously crafted HTTP requests [2]. It is an unauthenticated flaw, meaning an attacker with network-level access to the EMS management server can carry out the attack without prior authentication [6].
Recommendations for mitigation include:
- Applying patches released by Fortinet addressing CVE-2026-21643 without delay [1].
- Restricting internet-facing access to the EMS management interface using firewall rules or VPN-gated access [1].
- Reviewing logs for anomalous activity, unauthorized configuration changes, or unexpected outbound connections [1].
-
2,000+ FortiClient EMS Instances Exposed Online Amid Active RCE...
Two vulnerabilities, CVE-2026-35616 and CVE-2026-21643, both classified as unauthenticated RCE flaws, were exploited in the wild, affecting Fortinet’s FortiClient EMS platform.Apply patches released by Fortinet addressing CVE-2026-35616 and CVE-2026-21643 without delay. Restrict internet-facing acce…
-
Fortinet EMS Vulnerabilities Actively Exploited
An attacker exploiting CVE-2026-35616 may execute unauthorized code or commands through maliciously crafted HTTP requests.Active exploitation of CVE-2026-21643 (CVSS 9.8) was acknowledged in Fortinet’s security advisory (FG-IR-26-099) on April 4th. Defused Cyber is credited with detection of zero-da…
-
Critical Fortinet Forticlient EMS Vulnerability Exploited in Attacks
A critical SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-21643, is actively being exploited in the wild. Threat actors have been leveraging this flaw in attacks starting four days ago, despite it not yet appearing on the CISA Known Exploi…
-
Print View
Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin (s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).
-
CISA Adds One Known Exploited Vulnerability to Catalog | CISA
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.