CVE-2026-21643

CRITICAL KEV NUCLEI

Fortinet FortiClientEMS <7.4.4 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-21643 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2026. EIP tracks 3 public exploits from researchers including XZ1r0, 0xBlackash, alirezac0. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script and Nuclei template for detecting CVE-2026-21643, a pre-authentication SQL injection vulnerability in FortiClient EMS 7.4.4. The exploit leverages the `Site` HTTP header to inject SQL payloads into the `/api/v1/init_consts` and `/api/v1/auth/signin` endpoints, demonstrating both error-based and time-based SQL injection techniques.

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Exploits (3)

github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/web/CVE-2026-21643

This repository contains a functional Python script and Nuclei template for detecting CVE-2026-21643, a pre-authentication SQL injection vulnerability in FortiClient EMS 7.4.4. The exploit leverages the `Site` HTTP header to inject SQL payloads into the `/api/v1/init_consts` and `/api/v1/auth/signin` endpoints, demonstrating both error-based and time-based SQL injection techniques.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: FortiClient EMS 7.4.4
No auth needed
Prerequisites: Network access to the target FortiClient EMS instance
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by 0xBlackash · infoleak
https://github.com/0xBlackash/CVE-2026-21643

The repository contains a functional Python PoC for CVE-2026-21643, a pre-auth SQL injection vulnerability in Fortinet FortiClientEMS 7.4.4. The exploit targets the 'Site' header in HTTP requests to the '/api/v1/init_consts' endpoint, potentially leading to RCE via SQLi.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiClientEMS 7.4.4
No auth needed
Prerequisites: Network access to the FortiClientEMS administrative interface
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by alirezac0 · infoleak
https://github.com/alirezac0/CVE-2026-21643

This repository contains a functional Python script and Nuclei template for detecting CVE-2026-21643, a pre-authentication SQL injection vulnerability in FortiClient EMS 7.4.4. The exploit leverages the `Site` HTTP header to inject SQL payloads into the `/api/v1/init_consts` and `/api/v1/auth/signin` endpoints.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: FortiClient EMS 7.4.4
No auth needed
Prerequisites: Network access to the target FortiClient EMS instance
devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiClientEMS 7.4.4 - SQL Injection
CRITICALby ritikchaddha
Shodan: http.favicon.hash:-800551065
FOFA: icon_hash="-800551065"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.7089
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-04-13
VulnCheck KEV 2026-03-28
ENISA EUVD EUVD-2026-5681
CWE
CWE-89
Status published
Products (3)
fortinet/forticlientems 7.4.4
fortinet/forticlientems 7.4.0 - 7.4.5
Fortinet/FortiClientEMS 7.4.4
Published Feb 06, 2026
KEV Added Apr 13, 2026
Tracked Since Feb 18, 2026