FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE

The emergence of two zero‑day vulnerabilities in FortiClientEMS underscores the growing risk surface of endpoint management solutions. The SQL injection (CVE‑2026‑21643) targets the administrative console of version 7.4.4, allowing attackers to inject malicious SQL commands without any credentials. Because the flaw resides in a web‑exposed interface, threat actors can weaponize it at scale, prompting security teams to prioritize patching before broader compromise occurs.

Equally concerning is the improper access‑control bug (CVE‑2026‑35616) that bypasses API authentication across versions 7.4.5 and 7.4.6. This weakness enables unauthenticated command execution, effectively granting full server control to adversaries. The rapid inclusion of this CVE in the CISA KEV catalog signals federal acknowledgment of its potential impact on critical infrastructure, driving organizations to adopt hotfixes and accelerate migration to the forthcoming 7.4.7 release.

For enterprises, the dual exploitation scenario highlights the necessity of layered defenses: continuous vulnerability scanning, strict network segmentation, and real‑time threat intelligence integration. While Fortinet’s advisory provides clear remediation steps—apply the hotfixes and upgrade to 7.4.5 or later—security leaders must also reassess exposure of management consoles to the internet and enforce least‑privilege access. Proactive measures can mitigate not only these specific flaws but also reduce the attack surface for future zero‑day exploits.