InfoSecBulletin Cybersecurity for mankind
Fortinet has released a critical security advisory urging administrators to promptly update FortiClientEMS, its central management tool for endpoint protection.
A vulnerability, CVE-2026-21643, has a CVSSv3 score of 9.1 and may enable remote attackers to run unauthorized code on affected servers.
CVE-2026-20230
Cisco Patches in Unified CM as Exploit Code Goes Public
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
CISA gives feds 4 days to fix cPanel plugin vulnerability
ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware
The flaw is categorized as an SQL Injection (SQLi) vulnerability, formally identified as an “improper neutralization of special elements used in an SQL Command” (CWE-89).
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
Gwendal Guégniaud from the Fortinet Product Security team discovered the vulnerability, and there is no evidence of it being exploited publicly as of now.
Security teams are advised to review their logs for suspicious HTTP requests targeting the EMS GUI and, where possible, isolate management interfaces from the public internet until the patch can be applied.
Impact of an Unauthenticated Remote Code Execution (RCE) Vulnerability
An unauthenticated Remote Code Execution (RCE) vulnerability is a serious security risk. If exploited, the impact can be severe:
Full System Compromise: Attackers can gain complete control over the compromised FortiClientEMS server.
Data Exfiltration: Sensitive organizational data, including client information, configuration files, and intellectual property, could be stolen.
Malware Deployment: The compromised server can be used as a beachhead to deploy ransomware, cryptominers, or other malicious software throughout the network.
Persistent Access: Attackers can establish backdoors to maintain access even after the initial vulnerability is patched.
Operational Disruption: Critical services managed by FortiClientEMS could be disrupted, leading to downtime and financial losses.
