What Happened
Active exploitation of CVE-2026-21643 in Fortinet FortiClient Endpoint Management Server (EMS) was confirmed by threat intelligence firm Defused around March 26, 2026. BleepingComputer and Help Net Security reported the exploitation on March 30, and the attack surface remains significant: Shodan scans show roughly 1,000 FortiClient EMS instances directly accessible from the public internet.
The vulnerability is a SQL injection flaw in the HTTP “Site” header used to identify which tenant a request belongs to. This header is passed directly into a database query without input sanitization, and the check occurs before any authentication step. Attackers send a standard HTTP request with a malicious SQL payload embedded in the Site header to achieve unauthenticated remote code execution on the EMS host. Bishop Fox published a technical analysis and exploitation paths in early March 2026, which materially shortened the time to in-the-wild exploitation.
The vulnerability affects FortiClient EMS v7.4.4 only. Fortinet patched it in version 7.4.5. The flaw carries a CVSS v3.1 score of 9.8, placing it in the critical severity tier with low complexity and no privileges required.
Why This Matters for Canadian Organizations
Fortinet is one of the most widely deployed network and endpoint security vendors in Canada. FortiClient EMS is the centralized management server for FortiClient endpoint agents used across federal and provincial government departments, healthcare networks, financial institutions, and mid-market enterprises. A compromised EMS server gives attackers administrative-level control over endpoint configurations, telemetry data, and the ability to push malicious updates or policies to all managed FortiClient endpoints in the environment.
Canadian security teams need to assess this vulnerability with the same urgency applied to authentication bypass flaws in perimeter devices. The attack is unauthenticated, low-complexity, and now confirmed active. An attacker who achieves RCE on a FortiClient EMS server gains a position from which to move laterally across the managed endpoint fleet.
The Canadian Centre for Cyber Security (CCCS) tracks Fortinet vulnerabilities closely given the vendor’s prevalence in Canadian critical infrastructure. While no CCCS advisory has been published as of the time of writing, the CVSS score and confirmed active exploitation status meet the thresholds that have historically triggered CCCS guidance. Organizations on the CCCS alert distribution list should monitor for an advisory.
For organizations running FortiClient EMS in a configuration where the management interface faces the internet — directly or through a load balancer — the risk of compromise before patching is high. Even internally-hosted deployments remain at risk if lateral movement from any network-accessible system is possible.
What to Do
Upgrade FortiClient EMS to version 7.4.5 immediately. If patching cannot be completed within 24 to 48 hours, take the EMS management interface offline or restrict access to known IP ranges using firewall rules while the patch is prepared. Audit authentication logs on the EMS server for anomalous or unexpected HTTP requests, particularly those containing non-standard Site header values. Review whether your EMS server is accessible from the public internet and eliminate that exposure if present. Once patched, review endpoint policy configurations pushed from the EMS server after March 26 for any unauthorized changes. If you use FortiClient for VPN or zero-trust access, treat any period of EMS exposure as potentially requiring credential rotation for affected endpoints. Report any confirmed indicators of compromise to the CCCS at contact@cyber.gc.ca.
Source: BleepingComputer | Help Net Security
