[CDP-development] **UPDATED** TLP:GREEN (Vulnerability Alert Notification) CVE-2026-21643: Fortinet FortiClient EMS Vulnerability

[ESO_SOC * DAS]

NOTE: **Updates will be italicized and red**

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2026-21643: Fortinet FortiClient EMS Vulnerability. Because this flaw has been confirmed to be exploited in the wild and was added to the CISA KEV catalog on April 13, 2026, we are providing this in-depth information..

History: Disclosed by Fortinet PSIRT on February 6, 2026, this vulnerability has been assigned a CVSS 3.X base score of 9.8 by Fortinet, Inc.

Affected Versions

  *   FortiClientEMS 7.4.4 in multitenant mode

Fixed Versions

  *   FortiClientEMS Upgrade to 7.4.5 or above

*FortiClientEMS 7.2 and 8.0 are not affected by this vulnerability.

An improper neutralization of special elements in SQL commands (CWE-89) allows an unauthenticated remote attacker to execute unauthorized code or commands via specifically crafted HTTP requests to the administrative interface

Vendor Advisory: FG-IR-25-1142: FortiClientEMS - SQL injection in Site-related HTTP requests<https://fortiguard.fortinet.com/psirt/FG-IR-25-1142>

Intelligence: On March 30, 2026, the vulnerability was announced as being exploited by multiple news organizations. On April 13, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability Level: Network Exploitability
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Yes
Zero Day: No

Workarounds: Restrict network access to the FortiClientEMS management interface to trusted administrative IP addresses only; Place the management server behind a Web Application Firewall (WAF) with SQL injection filtering enabled.

How it Works: The vulnerability exists in pre-authentication endpoints such as /api/v1/init_consts. When the EMS web interface processes an HTTP request, it uses a specific header (often the "Site" header in multi-tenant mode) to determine the database schema. An attacker can break out of the single quotes in this header to inject arbitrary SQL commands.

Post-Exploit Impact:

  *   Remote Code Execution (CWE:89)
  *   Complete System Compromise and Data Exfiltration (CWE:89)
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Network Traffic
/api/v1/init_consts
Unusual HTTP 500 errors or repeated rapid requests to this pre-auth endpoint

Tenable Plugins: As of April 13, 2026, Tenable has released the following plugins for this vulnerability.
Plugin ID
Plugin Name
Severity
Platform
304507<https://www.tenable.com/plugins/nessus/304507>
Fortinet FortiClient EMS 7.4.4 SQLi (FG-IR-25-1142)
Critical
Nessus


Recommended Actions:

  *   Upgrade to fixed versions immediately
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.
EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image007.png at 01DCCB47.1253A360] [cid:image006.png at 01DCCB47.1253A360]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/12442684/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 32625 bytes
Desc: image006.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/12442684/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 280765 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260413/12442684/attachment-0003.png>