Attackers hit Fortinet FortiClient EMS before CISA issued a warning (CVE-2026-21643)

What happened

Attackers are actively exploiting a critical SQL injection vulnerability in Fortinet's FortiClient Endpoint Management Server. The flaw, CVE-2026-21643, sits inside the server component managing FortiClient endpoint agents across Windows, Mac, and Linux devices.

Here is what makes this incident worth your attention. CISA had not added it to the Known Exploited Vulnerabilities catalog when exploitation was already underway. The early warning came from Defused Cyber, a threat intelligence firm running honeypots. Honeypots are decoy systems built to look like real targets and capture live attack attempts. Their sensors caught active exploitation before any official advisory did.

SQL injection works like this: an attacker sends malicious commands through an input field the application fails to restrict. When it works, the attacker reads, modifies, or deletes data, and in some cases takes full control of the underlying system.

Why this matters for your business

FortiClient EMS sits at the center of endpoint management for many small and mid-sized businesses. It pushes policies and monitors the health of every device your team uses. If an attacker compromises it, they do not own one machine. They own the keys to all of them.

The timing gap in this incident is a real lesson. Many businesses rely on CISA's KEV list or vendor security bulletins as their signal to patch. This event shows active exploitation outran official cataloging by days or longer. Waiting for a public list to confirm a threat is a lag, not a strategy.

This maps directly to CIS Control 7: Continuous Vulnerability Management. IG1 organizations are expected to establish a process for tracking and remediating vulnerabilities in a timely way, prioritizing by severity and active threat status. A critical flaw in a management server needs immediate attention, not a scheduled maintenance window.

What to do now

If you run FortiClient EMS, check your current version against Fortinet's security advisory and apply available patches immediately. Do not wait for CISA to update their list.

Audit who has network access to your EMS server. Management interfaces should never be exposed to the public internet. Restrict access to known internal IP ranges or a VPN-only network segment.

Review your logs for unusual queries or authentication attempts against the EMS server going back at least 30 days. If you do not have centralized logging in place, close this gap now.

Verify your endpoint agents are still reporting correctly. If an attacker tampered with EMS, agent communications are one of the first things to get disrupted or redirected.

One step you can take today

Pull up your asset inventory and confirm whether FortiClient EMS is in your environment, what version it is running, and who reaches it over the network.

If answering takes more than five minutes, your visibility into your own environment has a problem. Tech Cartographer's CIS IG1 gap analysis surfaces these blind spots and gives you a clear, prioritized remediation roadmap. Reach out and let's take a look together.