Fortinet fixes a critical flaw in FortiClientEMS

Threat summary

On February 6, Fortinet released fixes for a critical vulnerability in FortiClient Enterprise Management Server (FortiClientEMS). The flaw affects the FortiClientEMS web interface in version 7.4.4; versions 7.2 and 8.0 are reported as not affected.

FortiClientEMS is Fortinet’s centralized management platform for FortiClient endpoint agents, used to deploy policies, manage endpoint security posture, and collect telemetry across large Windows and multi‑platform environments. It's widely used by enterprises and managed service providers (MSPs) to manage high volumes of endpoints across distributed or multi‑tenant environments.

The vulnerability, tracked as CVE‑2026‑21643 (Fortinet FG-IR-25-1142), enables an unauthenticated remote user to send crafted HTTP requests to the FortiClientEMS web interface, inject SQL commands, and achieve unauthorized code or command execution on the underlying server.

The flaw results from improper neutralization of special elements in SQL commands and is categorized as SQL Injection (CWE‑89). The Common Vulnerability Scoring System (CVSS) score is 9.1 out of 10. Exploitation requires network access to the FortiClientEMS web interface but does not require valid credentials, and the attack complexity appears low based on the nature of SQL injection in a management interface.

Analysis & mitigation

Externally exposed management services carry higher risk because any actor on the internet can reach an exposed interface using ordinary web traffic, and vulnerabilities of this type are triggered before authentication. Exposure alone creates the attack path.

Because FortiClientEMS holds administrative control over endpoints and often integrates with directory services and other core infrastructure, compromise of this server can translate directly into broad endpoint and identity compromise. Organizations that depend on FortiClientEMS for compliance reporting and incident response also lose access to a system that provides endpoint telemetry, policy visibility, and audit data.

To detect the exploitation of flaws like this, Field Effect MDR continuously monitors network traffic, endpoint behavior, and management‑plane activity, detecting unusual requests to management interfaces, unexpected process activity on servers, and anomalous configuration pushes originating from FortiClientEMS.

By correlating signals across endpoints and infrastructure, Field Effect MDR rapidly identifies lateral movement or unauthorized changes triggered via compromised management server. This visibility and correlation reduce dwell time and support rapid containment if exploitation occurs.

Field Effect MDR users would be alerted via ARO if vulnerable systems were detected in their environment. Applying the vendor patch, and upgrading FortiClientEMS 7.4.4 to a 7.4.5 or above release, eliminates the underlying vulnerability.

In addition to applying the vendor patch, mitigations include:

• Limiting network access to the FortiClientEMS web interface
• Removing external exposure
• Placing the service behind an authenticated reverse proxy
• Applying web application firewall rules to detect SQL injection patterns
• Increasing monitoring for anomalous activity on the management server
• Ensuring that backups do not contain vulnerable binaries
• Reviewing access control lists for management subnets
• Enforcing multifactor authentication on adjacent systems
• Confirming that endpoint management actions initiated from FortiClientEMS are logged and monitored for anomalies

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up