CVE-2026-21643

Published Feb 6, 2026

Last updated a month ago

Exploit knownCVSS critical 9.8
Zero-day
IoT
Supply chain
SQL injection
Server
Database
Firmware
HTTP

Overview

Description
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Source
psirt@fortinet.com
NVD status
Analyzed
Products
forticlientems

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Fortinet SQL Injection Vulnerability
Exploit added on
Apr 13, 2026
Exploit action due
Apr 16, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com
CWE-89

Social media

Hype score
Not currently trending

  1. Top 5 Trending CVEs: 1 - CVE-2022-40769 2 - CVE-2025-5777 3 - CVE-2025-8088 4 - CVE-2023-41064 5 - CVE-2026-21643 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    5 Apr 2026

    256 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-21643: FortiClient EMS SQL injection—unauth RCE via admin interface. In 2026. In a "cyber-resilience" product. Patch dropped Dec 2025, exploitation active March 2026. Exposing EMS admin to internet = asking for ransomware. Literally.

    @CisoRaging77913

    3 Apr 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2024-23222 3 - CVE-2026-3909 4 - CVE-2026-21643 5 - CVE-2026-2636 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    14 Mar 2026

    157 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.CVE-2026-25243
  2. In the Linux kernel, the following vulnerability has been resolved: comedi: me_daq: Fix potential overrun of firmware buffer `me2600_xilinx_download()` loads the firmware that was requested by `request_firmware()`. It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable `file_length` and reads the data stream contents of length `file_length` from offset 16 onwards. Although it checks that the supplied firmware is at least 16 bytes long, it does not check that it is long enough to contain the data stream. Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return `-EINVAL`.CVE-2026-31748
  3. Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.CVE-2024-54011
  4. Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.CVE-2026-21515
  5. A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.CVE-2026-25775

References

Sources include official advisories and independent security research.