Threat actors are actively targeting a critical vulnerability in Fortinet’s FortiClient EMS platform. The flaw, tracked as CVE-2026-21643, allows unauthenticated attackers to execute arbitrary code on vulnerable systems.
According to threat intelligence firm Defused, exploitation began just days ago. At present, CISA and Fortinet have yet flag the flaw as being actively exploited. Researchers say attackers are leveraging a SQL injection flaw in the FortiClient EMS web interface, allowing them to send malicious HTTP requests containing crafted “Site” headers to compromise systems.
“Attackers can smuggle SQL statements through the "Site"-header inside an HTTP request ,” Defused said, noting that data from Shodan shows that nearly 1,000 FortiClient EMS instances are publicly exposed.
The vulnerability affects FortiClient EMS version 7.4.4. The company has released a fix in version 7.4.5. Customers are strongly recommended to update as soon as possible.
At the time of reporting, CISA’s catalog of actively exploited flaws (KEV) lists over 20 Fortinet vulnerabilities, with at least 13 linked to ransomware campaigns.
Separately, security researchers warned that threat actors are actively probing a critical Citrix NetScaler ADC and NetScaler Gateway vulnerability (CVE-2026-3055).