FortiClient EMS Zero-Day Exploits CVE-2026-21643 & CVE-2026-35616

Marcus is the IT administrator for a mid-sized manufacturing company. Last week he read about a critical vulnerability in FortiClient EMS — the software his company uses to manage security across all employee laptops. He patched immediately. Updated to version 7.4.5. Job done.

This week, Defused — the same security company that found the original flaw — found a new critical vulnerability. In version 7.4.5. The patch he just applied.

In cybersecurity, sometimes patching one hole opens another.

What Is FortiClient EMS — In Plain English

FortiClient EMS is the control room for company-wide endpoint security. Organisations use it to manage, configure, and monitor FortiClient — the security software installed on every employee's laptop, desktop, and device. From one central server, an IT administrator can push security policies, check which devices are compliant, and manage access controls across hundreds or thousands of machines.

Because it sits at the centre of an organisation's security infrastructure and has authority over every managed device, it is an extremely high-value target. Compromising the EMS server is not like hacking one employee's laptop — it is like taking the keys to the entire building's security system.

Root Cause — Two Flaws, One After the Other

CVE-2026-21643 — The Original Flaw (version 7.4.4)

This breach was caused by a SQL injection vulnerability — one of the oldest and most well-understood attack types in security. SQL is the language databases use to store and retrieve information. A SQL injection attack happens when an attacker sneaks database commands into a place the application was not designed to accept them.

Think of it like this: a restaurant takes orders via a form. The form is supposed to accept food items. A SQL injection attack is the equivalent of writing "Burger AND also give me all your customer credit card records" in the food order box — and the kitchen actually processing both instructions.

In FortiClient EMS 7.4.4, attackers discovered they could smuggle SQL commands through a standard HTTP request header called "Site" — a field that FortiClient EMS accepts without checking whether it contains hidden database instructions. No login required. They send the crafted request, the server processes the hidden command, and the attacker gains the ability to execute code on the machine.

Defused detected live exploitation of this flaw on March 26, 2026 — days before it appeared on any official threat tracking list. Their honeypot sensors — decoy servers that look like real FortiClient EMS instances — recorded actual attack payloads being sent from real attacker infrastructure.

CVE-2026-35616 — The Flaw in the Patch (versions 7.4.5 and 7.4.6)

Fortinet patched CVE-2026-21643 in version 7.4.5. But when Defused investigated the fix, they found that 7.4.5 and 7.4.6 — the versions meant to be safe — contained a separate critical flaw: improper access control.

Access control is the mechanism that decides who is allowed to do what. A properly configured API — the programming interface that allows software systems to communicate — should check credentials before allowing any sensitive action. CVE-2026-35616 means FortiClient EMS 7.4.5 and 7.4.6 fail to perform that check on certain requests. An unauthenticated attacker can send a specially crafted request to the API and execute commands on the server as if they were an authorised administrator.

Two administrators patching to different versions are both vulnerable. The one who stayed on 7.4.4 has the SQL injection flaw. The one who upgraded to 7.4.5 or 7.4.6 has the access control flaw. The only safe path runs through 7.4.7 — and administrators who patched last week now need to patch again.

Why This Matters Beyond Fortinet

Fortinet products are standard enterprise security infrastructure — firewalls, endpoint managers, VPN concentrators — used across governments, hospitals, banks, and large enterprises worldwide. CISA has flagged 24 separate Fortinet vulnerabilities as actively exploited in the past. Thirteen of those have been used directly in ransomware attacks.

This is not an isolated incident. It is part of a consistent pattern where enterprise security tools — the products designed to protect organisations — become the entry point for attackers. We covered this pattern earlier this year with the FortiCloud SSO zero-day CVE-2026-24858:

→ The Fortinet Trust Bypass: CVE-2026-24858 Deep Dive

The attackers targeting FortiClient EMS are not random. FortiClient EMS has authority over every endpoint it manages. Gaining access to the EMS server means gaining the ability to push malicious configurations to every device under management — potentially compromising an entire organisation's endpoint fleet in a single action.

The Defused Story — Why Government Lists Are Not Enough

Both vulnerabilities were identified by Defused — a threat intelligence company that uses honeypot sensors to detect real attacks before they are publicly reported. CVE-2026-21643 was being actively exploited for four days before it appeared on any government vulnerability list. CVE-2026-35616 was disclosed directly to Fortinet through responsible disclosure — reported before it was widely exploited, giving organisations a narrow window to patch.

This is the critical lesson: CISA's Known Exploited Vulnerabilities list is reactive — it records flaws after exploitation is confirmed and publicly documented. By the time a vulnerability appears on that list, attackers may have been using it for days or weeks. Organisations that patch only when they see a KEV entry are always behind.

Indicators of Compromise (IOCs)

# FortiClient EMS CVE-2026-21643 / CVE-2026-35616 — Detection

# Check your FortiClient EMS version immediately
# Vulnerable:
#   7.4.4 — CVE-2026-21643 (SQL injection, actively exploited)
#   7.4.5 — CVE-2026-35616 (access control bypass)
#   7.4.6 — CVE-2026-35616 (access control bypass)
# Safe:
#   7.4.7 or above
#   7.2.11 or above

# CVE-2026-21643 — Known attacker IP
104.192.92[.]135  — block at firewall

# CVE-2026-21643 — Attack signature in web logs
# Look for unusual values in the "Site" HTTP request header
# containing SQL keywords: SELECT, FROM, pg_sleep, INSERT
# Example observed payload:
# Site: x'; SELECT pg_sleep(4)--

# CVE-2026-21643 — Targeted endpoint in logs
GET /api/v1/init_consts   (check for unusual requests to this endpoint)

# General IOCs — signs of post-exploitation
Alert: New admin accounts created on EMS outside approved change windows
Alert: Unusual configuration exports from EMS server
Alert: EMS server making unexpected outbound connections
Alert: Security policy changes pushed to endpoints not initiated by IT

# Immediate actions
1. Upgrade to FortiClient EMS 7.4.7 or 7.2.11 immediately
2. Restrict EMS web interface to internal network — remove internet exposure
3. Review EMS web logs for Site header anomalies from March 26 onwards
4. Rotate all administrative credentials on EMS server
5. Review all policy changes pushed to endpoints in the past two weeks

SOC Alert Priorities

Priority 1 — Identify your FortiClient EMS version right now. If you are on 7.4.4, 7.4.5, or 7.4.6 you have a critical unauthenticated vulnerability being actively exploited. The only safe versions are 7.4.7 and above, or 7.2.11 and above. Patch today — not at the next maintenance window.

Priority 2 — Remove internet exposure immediately. Over 2,000 FortiClient EMS instances are currently reachable directly from the internet. The EMS administrative interface should never be internet-facing. If yours is, restrict access to internal networks or a VPN immediately — before the patch is applied.

Priority 3 — Audit your EMS logs back to March 26. Exploitation of CVE-2026-21643 began around March 26. Search web server logs for unusual values in the "Site" HTTP header and unexpected requests to the /api/v1/init_consts endpoint. Any suspicious requests from that window should be treated as a potential breach indicator.

Priority 4 — Do not rely on CISA KEV as your trigger to patch. CVE-2026-21643 was exploited for four days before it appeared on official tracking lists. CVE-2026-35616 was disclosed directly to Fortinet and may not appear on KEV for days or weeks. If you run Fortinet products, subscribe to Fortinet's PSIRT alerts directly at fortiguard.fortinet.com.

Priority 5 — Review all endpoint policy changes from the past two weeks. If an attacker gained access to your EMS server, they may have pushed configuration changes to managed endpoints. Audit your endpoint fleet for unexpected policy changes, new certificates, or unauthorised software deployments.

The ZyberWalls Perspective

Twenty-four exploited Fortinet vulnerabilities in CISA's catalogue. Thirteen used in ransomware attacks. FortiClient EMS is now on that list — not once but twice in the same week.

The structural problem here is worth naming directly. Security tools — firewalls, endpoint managers, VPN concentrators — are trusted by design. They sit inside the network perimeter with elevated access, minimal monitoring, and the implicit assumption that they are safe. That assumption is precisely what attackers exploit. The security tool becomes the attack vector.

For Marcus, the IT administrator who patched promptly last week, the lesson is not that patching is futile. It is that enterprise security management requires monitoring multiple sources — vendor advisories, threat intelligence feeds, and honeypot data — not just government tracking lists. The window between exploitation and official recognition is shrinking. In this case it was four days. That is four days of open exposure for organisations waiting for official confirmation before acting.

Patch to 7.4.7. Remove internet exposure. Check your logs from March 26. Do it today.