Threat Intelligence / CVE / CVE-2026-21643
CVE-2026-21643
CISA KEVUnauthenticated SQL injection vulnerability in Fortinet FortiClient EMS (CWE-89). FortiClient EMS operates as the central management plane for Fortinet endpoint security stack. The flaw allows a remote attacker to execute unauthorized code or commands via crafted HTTP requests without authentication. Actively exploited against internet-exposed EMS instances. CISA KEV added 2026-04-13 with accelerated remediation deadline 2026-04-16. Parallels the 2024 FortiClient EMS SQLi (CVE-2023-48788) exploitation pattern.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-89
Threats tracking this CVE
- FortiClient EMS Pre-Authentication API Bypass Leading to RCE (CVE-2026-35616) — Active Zero-Day Exploitation — CRITICAL
- CVE-2026-35616: Fortinet FortiClientEMS Pre-Authentication API Bypass Leading to Remote Code Execution (CISA KEV) — CRITICAL
- CISA KEV Catalog Update: Seven Actively Exploited Vulnerabilities Added 2026-04-13 (Microsoft, Adobe, Fortinet) — CRITICAL
Full detection coverage & IOCs for threats exploiting CVE-2026-21643 are available via the Threadlinqs MCP server (Purple tier). View plans →