Overview of the FortiClientEMS Vulnerability (CVE‑2026‑21643)
Fortinet released a security update that patches a critical SQL injection flaw in FortiClientEMS. The vulnerability allows an unauthenticated attacker to send specially crafted HTTP requests that can execute arbitrary code on the affected system. The issue is rated 9.1 CVSS and is identified as CWE‑89.
The flaw was discovered and reported by Gwendal Guégniaud of the Fortinet Product Security team.
Details of the FortiOS‑Related Vulnerability (CVE‑2026‑24858)
A separate critical vulnerability affecting FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb was also disclosed. With a CVSS score of 9.4, the flaw enables an attacker who possesses a FortiCloud account and a registered device to log into other devices that share the same SSO configuration, potentially creating local admin accounts, altering configurations, and exfiltrating firewall data.
Impact and Exploitation
While Fortinet has not confirmed active exploitation of CVE‑2026‑21643, the FortiCloud‑SSO vulnerability (CVE‑2026‑24858) has been observed in the wild. Attackers have used it to:
- Create persistent local administrator accounts.
- Grant VPN access to compromised accounts.
- Exfiltrate firewall configurations.
Mitigation Steps
Administrators should take the following actions immediately:
- Apply the latest FortiClientEMS security update released by Fortinet.
- Update FortiOS, FortiManager, FortiAnalyzer, FortiProxy and FortiWeb to the patched versions.
- Review and, if possible, disable FortiCloud SSO authentication until the issue is resolved.
- Audit existing user accounts and VPN configurations for unauthorized changes.
Additional Resources
For more information, consult Fortinet’s official advisories and consider attending webinars that cover AI‑driven, context‑aware forensics for faster cloud investigations.