Critical SQL Injection in Fortinet FortiClient EMS (CVE‑2026‑21643) Added to CISA KEV Catalog
What It Is — A high‑severity (CVSS 9.1) SQL injection flaw in Fortinet FortiClient Endpoint Management Server (EMS) permits unauthenticated attackers to inject arbitrary SQL commands into the backend database.
Exploitability — CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation in the wild; proof‑of‑concept code has been publicly released.
Affected Products — Fortinet FortiClient EMS (all versions prior to the vendor‑issued patch).
TPRM Impact — The vulnerability can be leveraged by threat actors to compromise a vendor’s endpoint‑management service, potentially exposing client‑side data and enabling lateral movement across a supply‑chain network.
Recommended Actions —
- Verify FortiClient EMS version; apply Fortinet’s emergency patch immediately.
- Conduct a rapid inventory of all third‑party assets using FortiClient EMS and confirm they are covered by the patch.
- Review logs for anomalous database queries or authentication bypass attempts.
- Update incident‑response playbooks to include detection of SQL‑injection attempts against EMS endpoints.
- Communicate remediation status to affected business units and external partners.
Source: The Hacker News