{"id":229222,"date":"2026-03-30T03:48:00","date_gmt":"2026-03-30T07:48:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/30\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/"},"modified":"2026-03-30T11:35:15","modified_gmt":"2026-03-30T15:35:15","slug":"critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/30\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/","title":{"rendered":"Critical Fortinet Forticlient EMS flaw now exploited in attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/\">Critical Fortinet Forticlient EMS flaw now exploited in attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-30 03:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Attackers are now actively exploiting a critical vulnerability in Fortinet&#8217;s FortiClient EMS platform, according to threat intelligence company Defused.<\/p>\n<p>Tracked as CVE-2026-21643, this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests.<\/p>\n<p>&#8220;Fortinet Forticlient EMS CVE-2026-21643 &#8211; currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists &#8211; has seen first exploitation already 4 days ago according to our data,&#8221; Defused warned over the weekend.<\/p>\n<p>&#8220;Attackers can smuggle SQL statements through the &#8216;Site&#8217;-header inside an HTTP request. According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.&#8221;<\/p>\n<p>The vulnerability, discovered internally by Gwendal Gu\u00e9gniaud of the Fortinet Product Security team, affects FortiClient EMS version 7.4.4 and can be patched by upgrading to version 7.4.5 or later.<\/p>\n<p>Fortinet has yet to update its security advisory and flag the vulnerability as exploited in the wild. BleepingComputer reached out to a Fortinet spokesperson to confirm reports of active exploitation, but a response was not immediately available.<\/p>\n<p>Internet security watchdog group Shadowserver is currently\u00a0tracking over 2,000 FortiClient EMS instances with their web interfaces exposed online, with more than 1,400 IPs in the United States and in Europe.<\/p>\n<p><img decoding=\"async\" alt=\"FortiClient EMS exposed online\" height=\"341\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1109292\/2026\/FortiClient%20EMS%20exposed%20online.jpg\" width=\"700\"\/>FortiClient EMS exposed online (Shadowserver)<\/p>\n<p>A separate Shodan search shows more than FortiClient EMS, with most exposed instances in the United States.<\/p>\n<p>Fortinet vulnerabilities are frequently exploited to breach corporate networks in ransomware attacks and cyber espionage campaigns (often as zero-day bugs while patches are still pending).<\/p>\n<p>Most recently, Fortinet mitigated CVE-2026-24858 zero-day attacks by blocking FortiCloud SSO connections from devices running&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical Fortinet Forticlient EMS flaw now exploited in attacks https:\/\/www.bleepingcomputer.com\/news\/security\/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks\/ Publish Date: 2026-03-30 03:48:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229223,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/12\/29\/Fortinet.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,27],"class_list":["post-229222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229222"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229222"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229222\/revisions"}],"predecessor-version":[{"id":229224,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229222\/revisions\/229224"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229223"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}