The federal deadline to patch a critical SQL injection flaw in endpoint management servers has expired. Initial access brokers are now pivoting to monetize persistent backdoors established on internet-exposed appliances that were not remediated by the April 16 cutoff.
Tracked as CVE-2026-21643‚ the flaw in @[Fortinet](urn:li:organization:15197) FortiClient EMS allows unauthenticated remote code execution. Because these servers manage the security posture of the entire endpoint fleet‚ they are prioritized for high-velocity exploitation. Security teams should now assume any unpatched‚ internet-facing EMS instance has been accessed by a threat actor.
The human element of “compliance fatigue” often leads to delayed patching for perimeter security tools. Attackers rely on this 48-72 hour gap between the deadline and actual deployment to establish silent persistence that remains hidden long after the software is updated.
– Verify that all @[Fortinet](urn:li:organization:15197) FortiClient EMS instances are running version 7.4.7 or higher.
– Conduct a retroactive forensic audit of any EMS server that was internet-exposed after April 13.
– Reset all administrative and service account credentials associated with the EMS platform.
– Strictly isolate the management plane behind a Zero Trust gateway and restrict access to authorized IP ranges.
Remediation after a federal deadline must move from simple patching to a full compromise assessment and identity reset. #CodeDefence #Fortinet #CISA #EndpointSecurity
/
