"Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0. "An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests," Fortinet said in an advisory."
"The shortcoming affects the following versions - FortiClientEMS 7.2 (Not affected) FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above) FortiClientEMS 8.0 (Not affected) Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw. While Fortinet makes no mention of the vulnerability being exploited in the wild, it's essential that users move quickly to apply the fixes."
Fortinet released updates to remediate a critical SQL injection vulnerability in FortiClientEMS (CVE-2026-21643) that can enable unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw is rated CVSS 9.1. Affected installations include FortiClientEMS 7.4.4, which should be upgraded to 7.4.5 or above; FortiClientEMS 7.2 and 8.0 are not affected. Gwendal Guégniaud of the Fortinet Product Security team is credited with discovery and reporting. Administrators are urged to apply fixes promptly. Fortinet also addressed a separate actively exploited FortiCloud-related flaw (CVE-2026-24858) used to gain persistence and exfiltrate configurations.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]