# CVE-2026-21643

> Unauthenticated SQL injection vulnerability in Fortinet FortiClient EMS (CWE-89). FortiClient EMS operates as the central management plane for Fortinet endpoint security stack. The flaw allows a remote attacker to execute unauthorized code or commands via crafted HTTP requests without authentication. Actively exploited against internet-exposed EMS instances. CISA KEV added 2026-04-13 with accelerated remediation deadline 2026-04-16. Parallels the 2024 FortiClient EMS SQLi (CVE-2023-48788) exploitation pattern.

- **CVSS:** 9.8 (CRITICAL)
- **EPSS:** 62.5%
- **CISA KEV:** yes
- **CWE:** CWE-89

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-21643
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp