The vulnerability CVE-2026-21643 is a critical SQL Injection (SQLi) flaw found in Fortinet's FortiClientEMS software, specifically impacting versions prior to 7.4.5. This vulnerability arises from improper neutralization of special elements in SQL commands, allowing an unauthenticated attacker to inject malicious SQL code through crafted HTTP requests. Successful exploitation enables arbitrary code execution on the affected system, effectively granting attackers the ability to run unauthorized commands remotely without any authentication or user interaction. Fortinet has confirmed the flaw's criticality with a CVSS score of 9.1, reflecting the high impact on confidentiality, integrity, and availability. The vulnerability was discovered and reported by Fortinet's internal security team. While FortiClientEMS versions 7.2 and 8.0 are not affected, versions 7.4.4 and earlier require urgent patching to 7.4.5 or above. Fortinet has not reported active exploitation in the wild yet, but the potential for exploitation is significant given the nature of the flaw. This vulnerability is part of a broader set of critical issues recently addressed by Fortinet, including other severe flaws in FortiOS and related products. The SQLi vulnerability allows attackers to bypass authentication, execute arbitrary code, and potentially gain persistent administrative access, which could lead to configuration changes, VPN access manipulation, and data exfiltration. The flaw affects enterprise environments relying on FortiClientEMS for endpoint management and security orchestration, making it a high-value target for threat actors.

European organizations using FortiClientEMS are at high risk due to the critical nature of this vulnerability. Exploitation can lead to full compromise of endpoint management systems, allowing attackers to execute arbitrary code, alter security configurations, and potentially move laterally within networks. This could result in unauthorized access to sensitive data, disruption of security operations, and persistence within critical infrastructure. Given Fortinet's widespread adoption across European enterprises, government agencies, and critical infrastructure sectors, the impact could be severe, including operational downtime, data breaches, and regulatory non-compliance under GDPR. The unauthenticated nature of the exploit increases the attack surface, enabling remote attackers to target vulnerable systems without prior access. This elevates the risk of widespread exploitation, especially in sectors with high reliance on Fortinet products for network and endpoint security. Additionally, the vulnerability could be leveraged in coordinated attacks against strategic targets, potentially affecting national security and economic stability in Europe.

Organizations should immediately identify and inventory all FortiClientEMS deployments to determine exposure. The primary mitigation is to upgrade all affected FortiClientEMS instances to version 7.4.5 or later, as versions 7.2 and 8.0 are not vulnerable. Network segmentation should be enforced to limit access to FortiClientEMS management interfaces, restricting them to trusted administrative networks. Implement strict web application firewall (WAF) rules to detect and block SQL injection attempts targeting FortiClientEMS endpoints. Continuous monitoring and logging of FortiClientEMS traffic and system behavior should be enhanced to detect anomalous activities indicative of exploitation attempts. Organizations should also review and harden endpoint security policies and credentials to prevent lateral movement if compromise occurs. Incident response plans must be updated to include this vulnerability, ensuring rapid containment and remediation. Finally, coordinate with Fortinet support and subscribe to official advisories for timely updates and patches.