CVE-2026-21643

CriticalCISA KEVActive ExploitationPublic PoC

Published: 06 February 2026

Published

06 February 2026

Modified

14 April 2026

KEV Added

13 April 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6252 98.4th percentile

Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-21643 by requiring timely patching of the SQL injection flaw in FortiClientEMS 7.4.4 to prevent unauthorized code execution.

SI-10 Information Input Validation good match

prevent

Prevents SQL injection exploitation by validating and sanitizing specially crafted HTTP request inputs used in SQL commands within FortiClientEMS.

SC-7 Boundary Protection partial match

prevent

Boundary protection with web application firewalls can filter and block malicious HTTP requests targeting the SQL injection vulnerability in FortiClientEMS.

Security SummaryAI

CVE-2026-21643 is an SQL injection vulnerability (CWE-89) in Fortinet FortiClientEMS version 7.4.4, stemming from improper neutralization of special elements used in an SQL command. Published on 2026-02-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthenticated attacker with network access can exploit the vulnerability via specially crafted HTTP requests, requiring low complexity and no privileges or user interaction. Exploitation may allow execution of unauthorized code or commands, resulting in high confidentiality, integrity, and availability impacts on the affected FortiClientEMS instance.

Fortinet's PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 details the issue. A proof-of-concept exploit script is available at https://github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py. The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643, indicating active real-world exploitation.

Details

CWE(s): CWE-89
KEV Date Added: 13 April 2026

Affected Products

fortinet

forticlientems

7.4.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in public-facing FortiClient EMS server enables unauthenticated remote exploitation for arbitrary code/command execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
Vendor Advisory · psirt@fortinet.com
https://github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0