CVE-2026-21643: Fortinet FortiClient EMS SQL Injection — Detection and Remediation

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. Among these is CVE-2026-21643, a critical SQL injection flaw in Fortinet FortiClient EMS. This flaw carries a CVSS score of 9.1, making it a severe risk for organizations relying on Fortinet’s endpoint management infrastructure.

While this KEV update also includes undisclosed flaws in Microsoft and Adobe products, the details surrounding CVE-2026-21643 present an immediate, actionable threat for SOC and IR teams. Under Binding Operational Directive (BOD) 22-01, federal agencies have a strict deadline to patch these vulnerabilities; private sector organizations should treat this timeline as a baseline for their own remediation operations to prevent ransomware or data theft.

Technical Analysis

Vulnerability: CVE-2026-21643 Affected Product: Fortinet FortiClient EMS (Endpoint Management System) CVSS Score: 9.1 (Critical) Vulnerability Type: SQL Injection

FortiClient EMS is the central management server for Fortinet endpoints. A SQL injection vulnerability in this component allows an authenticated attacker to execute arbitrary SQL commands against the underlying database. Given the architecture of EMS, SQL injection often leads to credential theft, data exfiltration, and potentially remote code execution (RCE) on the management server itself.

Attack Chain

1. Initial Access: An attacker requires network access to the FortiClient EMS web interface. While authentication may be required, the specific exploit mechanism can sometimes bypass strict authentication checks or leverage weak credentials. n2. Exploitation: The attacker sends crafted HTTP requests containing malicious SQL statements to vulnerable endpoints.
2. Impact: Successful exploitation compromises the EMS database. Attackers can dump endpoint tables (listing all managed assets), retrieve administrative credentials, or, in some scenarios, write files to disk to achieve system-level execution.

Exploitation Status: CONFIRMED ACTIVE EXPLOITATION. CISA has added this to the KEV catalog based on evidence of active use in the wild.

Detection & Response

Detecting SQL injection attempts at the network layer can be difficult without specific WAF signatures. However, exploitation of EMS typically results in post-exploitation activity that is significantly louder and easier to detect on the endpoint.

The most reliable detection method is identifying the FortiClient EMS service spawning unauthorized shell processes or making anomalous network connections.

SIGMA Rules

---
title: FortiClient EMS Spawning Unauthorized Shell
id: 8a4b2c1d-9e6f-4a3b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects FortiClient EMS spawning cmd.exe or powershell.exe, a common pattern following SQL injection to RCE.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains: 'FortiClientEMS'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative troubleshooting by IT staff
level: critical
---
title: Potential SQLi via EMS Web Interface
id: 9b5c3d2e-0f7a-5b4c-9d6e-2f3a4b5c6d7e
status: experimental
description: Detects generic SQL injection patterns in URI parameters targeting FortiClient EMS.
references:
  - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.21643
logsource:
  category: webserver
  product: azure
  definition: 'Requirements: Azure Web Application Firewall logs or proxy logs ingested as WebServer'
detection:
  selection_target:
    c-uri|contains: '/FCT'
  selection_sqli:
    c-uri|contains:
      - 'OR 1=1'
      - 'UNION SELECT'
      - 'WAITFOR DELAY'
      - ';--'
  condition: all of selection_*
falsepositives:
  - Potential false positives depending on application logic, verify user agent and source IP.
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the parent-child process relationship indicative of successful exploitation on the EMS server.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "FortiClientEMS"
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

Hunt for suspicious process lineage stemming from the FortiClient EMS service.

-- Hunt for FortiClient EMS spawning shells
SELECT Pid, Ppid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Ppid IN (
    -- Get PIDs of FortiClientEMS processes
    SELECT Pid FROM pslist() WHERE Name =~ 'FortiClientEMS'
)
AND Name =~ 'cmd|powershell|wscript'

Remediation Script (PowerShell)

Use this script to identify vulnerable versions of FortiClient EMS and verify the patch status. Note: Adjust the $TargetVersion variable based on the specific patched version released by Fortinet.

# Fortinet FortiClient EMS CVE-2026-21643 Remediation Checker
# Run as Administrator on the EMS Server

Write-Host "[+] Checking for FortiClient EMS Installation..." -ForegroundColor Cyan

# Common installation paths
$paths = @(
    "C:\Program Files (x86)\Fortinet\FortiClientEMS",
    "C:\Program Files\Fortinet\FortiClientEMS"
)

$found = $false
foreach ($path in $paths) {
    if (Test-Path $path) {
        $found = $true
        $exePath = Join-Path $path "FortiClientEMS.exe"
        if (Test-Path $exePath) {
            $fileInfo = Get-Item $exePath
            $version = $fileInfo.VersionInfo.FileVersion
            Write-Host "    Found Installation: $path" -ForegroundColor Green
            Write-Host "    File Version: $version" -ForegroundColor Yellow
            
            # CRITICAL: Verify the specific patched version from Fortinet Advisory
            # Example logic block - Update '7.2.5.0' with actual patched version
            $TargetVersion = "7.2.5.0" 
            
            if ([version]$version -lt [version]$TargetVersion) {
                Write-Host "    [!] ALERT: Version is vulnerable to CVE-2026-21643." -ForegroundColor Red
                Write-Host "    Action Required: Apply Fortinet patch immediately."
            } else {
                Write-Host "    [+] Version appears patched." -ForegroundColor Green
            }
        }
    }
}

if (-not $found) {
    Write-Host "[-] FortiClient EMS installation not found in standard paths." -ForegroundColor Gray
}

Remediation

1. Patch Immediately: Apply the security patches released by Fortinet for CVE-2026-21643. Verify the exact build number required in the Fortinet Security Advisory.
2. Verify Patching: Use the PowerShell script above or consult the EMS console "About" page to confirm the version post-update.
3. Network Segmentation: Ensure the FortiClient EMS management interface is not accessible from the public internet. Restrict access to specific internal management subnets via firewall ACLs.
4. Audit for Compromise: If the system was unpatched during the window of active exploitation, assume compromise. Review EMS logs for anomalous admin logins, database queries, or strange process execution (using the Sigma rules provided above). Rotate all credentials stored within the EMS database and endpoint credentials if trust has been established.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub