[KEV] CVE-2026-21643 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-21643 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-21643 is a SQL injection vulnerability in Fortinet FortiClient EMS, an enterprise endpoint management server, exploitable by unauthenticated remote attackers via crafted HTTP requests.

Technical Detail

The flaw exists in FortiClient EMS's handling of HTTP request input, where user-supplied data is not properly sanitized before being incorporated into SQL queries. An unauthenticated attacker can send specially crafted HTTP requests to exploit this injection point, potentially achieving remote code execution or unauthorized command execution on the underlying server. The combination of no authentication requirement and direct code execution capability makes this a critical attack path despite the currently assigned CVSS score of 0.0, which likely reflects incomplete scoring data rather than low actual risk.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 13, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliably achieving the described impact is in active use by attackers, not merely available as a proof of concept. Organizations should treat this as under active attack.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaigns, targeted sectors, or named threat groups have been associated with exploitation of this vulnerability in available intelligence. Given the nature of the target (enterprise endpoint management infrastructure), opportunistic and targeted actors alike may have interest in this vulnerability.

What To Do

Apply the vendor-supplied patch from Fortinet immediately. Per CISA's binding operational directive (BOD 22-01), federal civilian executive branch agencies are required to remediate this vulnerability by the deadline associated with the April 13, 2026 KEV listing. All organizations should treat patching as urgent given confirmed active exploitation. If patching cannot be completed immediately, restrict external network access to the FortiClient EMS web interface and limit exposure to trusted internal networks only. Monitor FortiClient EMS logs for anomalous or malformed HTTP requests, unexpected SQL errors, and unusual process execution originating from the EMS service. Verify the integrity of the EMS server and review for indicators of prior compromise before applying the patch.