Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests,” Fortinet said in an advisory.

The shortcoming affects the following versions –

• FortiClientEMS 7.2 (Not affected)
• FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
• FortiClientEMS 8.0 (Not affected)

Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw.

While Fortinet makes no mention of the vulnerability being exploited in the wild, it’s essential that users move quickly to apply the fixes.

The development comes as the company addressed another critical severity flaw in FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb (CVE-2026-24858, CVSS score: 9.4) that allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.