FortiClient EMS: Vulnerability is being attacked

The security management software Fortinet FortiClient EMS (Endpoint Management Server) poses a security problem itself due to a critical vulnerability. In February of this year, Fortinet provided a patch to fix the leak. Now IT researchers have observed attacks on the security vulnerability on the internet.

On LinkedIn, Defused reported that the first attack attempts took place a few days ago. This is the result of the company's analysis of honeypot data. The attacked vulnerability is an SQL injection flaw that attackers can exploit through the "Site" header of an HTTP request (CVE-2026-21643, CVSS 9.1 [Fortinet] or 9.8 [NVD], risk "critical"). According to Fortinet's security advisory, unauthenticated attackers can thus inject and execute unauthorized code or commands with manipulated HTTP requests.

Fortinet itself has not yet updated its advisory to indicate active exploitation at the time of reporting. Defused identified nearly 1000 FortiClient EMS instances using the Shodan search engine that are freely accessible on the internet and thus reachable by attackers.

FortiClient EMS: Affected and patched versions

In February, Fortinet reported only version 7.4.4 of FortiClient EMS as being affected by the vulnerability. Versions 7.2 and 8.0 would therefore not be a cause for concern for administrators. Version 7.4.5 or newer thus closes the security gap.

Initially, Fortinet stated that the vulnerability was also present in FortiEMS Cloud. However, the developers later removed the version as it was not affected after all.

New security vulnerabilities that endanger security are constantly found in Fortinet network products. Around early March, Fortinet released updates to close 18 security vulnerabilities.

(dmk)