Unauthenticated attackers are rampantly exploiting a critical SQL injection flaw in endpoint management servers to execute unauthorized commands. The volume of exploitation has increased significantly following the federal remediation deadline as initial access brokers pivot to monetize unpatched appliances.
CVE-2026-21643 affects @[Fortinet](urn:li:organization:15197) FortiClient Enterprise Management Server (EMS). This vulnerability allows unauthenticated remote attackers to execute arbitrary code via crafted HTTP requests. Since its inclusion in the CISA KEV catalog‚ researchers have observed automated clusters mapping and exploiting exposed management interfaces in the healthcare and finance sectors.
Endpoint management servers are prioritized for exploitation because they maintain root-level access and persistent communication channels to every device in the enterprise. A compromise of the EMS server effectively grants the attacker control over the security policies and data access of the entire managed fleet.
– Upgrade @[Fortinet](urn:li:organization:15197) FortiClient EMS to version 7.4.7 or higher immediately to neutralize CVE-2026-21643.
– Conduct a forensic audit of any internet-exposed EMS instance for unauthorized administrative accounts or anomalous shell commands.
– Reset all administrative and service account credentials associated with the EMS platform following the patch.
– Strictly isolate the management plane behind a Zero Trust gateway and restrict access to authorized IP ranges only.
The integrity of the endpoint fleet is entirely dependent on the security of the server that manages it. #CodeDefence #Fortinet #CISA #EndpointSecurity
/
