Fortinetโs FortiClient Enterprise Management Server has now accumulated two critical vulnerabilities in rapid succession. Bishop Fox this week published a full technical breakdown of CVE-2026-21643, a pre-authentication SQL injection flaw in EMS version 7.4.4 with a CVSS score of 9.8 โ separate from the access control zero-day (CVE-2026-35616) that affected 7.4.5 and 7.4.6 and drew a CISA KEV addition last week.
The two vulnerabilities affect adjacent version numbers, creating a situation where organisations that patched one may have inadvertently stepped into the other.
The Vulnerability
CVE-2026-21643 is a classic SQL injection flaw (CWE-89) introduced in the 7.4.4 codebase when the multi-tenant featureโs database connection layer was refactored. The change replaced parameterised queries with raw string interpolation, opening a pre-authentication injection point through the publicly accessible /api/v1/init_consts endpoint.
The endpoint requires no authentication, performs no request rate limiting, and helpfully returns database error messages โ conditions that allow rapid automated extraction of data. Because the PostgreSQL database user in Fortinetโs shipped Virtual Machine image runs with superuser privileges, the impact extends from data theft to full OS-level command execution via PostgreSQLโs COPY ... TO/FROM PROGRAM mechanism.
An attacker exploiting CVE-2026-21643 can:
- Extract all admin password hashes, API tokens, and JWT secrets from the authentication tables
- Read the full endpoint inventory: hostnames, IP addresses, OS versions, serial numbers, and installed software across every managed FortiClient deployment
- Write arbitrary files to the EMS host as the
postgressystem user - Execute OS commands if the default superuser database configuration is in place
The Version Trap
The patch for CVE-2026-21643 was 7.4.5 โ which then introduced CVE-2026-35616, the improper access control zero-day. Fortinet released a hotfix for CVE-2026-35616 for 7.4.5 and 7.4.6, with the full fix expected in 7.4.7.
Organisations now need to be on 7.4.5 or 7.4.6 with the hotfix applied to be protected against both flaws. Running 7.4.4 (without the CVE-2026-35616 exposure but with the SQL injection) or running 7.4.5/7.4.6 without the hotfix (patched for SQL injection but exposed to the access control flaw) leaves a critical gap in either direction.
Active Exploitation
Help Net Security reported exploitation of CVE-2026-21643 as early as 30 March, before the full Bishop Fox technical disclosure. The combination of a public advisory, published PoC-quality technical detail, and confirmed exploitation makes this a high-probability target for automated exploitation tooling.
CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities catalogue on 13 April 2026.
Recommended Actions
- Check your EMS version immediately. If running 7.4.4, upgrade to 7.4.5 or 7.4.6 and apply the CVE-2026-35616 hotfix โ do not stop at upgrading to 7.4.5 alone.
- Confirm hotfix status on all EMS deployments running 7.4.5 or 7.4.6. The hotfix for CVE-2026-35616 does not ship automatically with those versions.
- Restrict API access to the EMS management interface at the network level. The
/api/v1/init_constsendpoint should not be reachable from untrusted networks. - Audit EMS logs from mid-March onwards for unusual API calls to init_consts, unexpected database queries, new admin accounts, or configuration changes.
- Rotate all credentials stored in or accessible via EMS: admin passwords, API tokens, JWT secrets, and any endpoint credentials that could have been harvested from the management database.
- EMS 7.2 and below are not affected by either CVE-2026-21643 or CVE-2026-35616 โ but 7.2 branches are approaching end-of-life and should be evaluated for upgrade planning.
Share this article