CVE-2026-21643: FortiClient EMS Pre-Auth RCE Hits Saudi Banks

A pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 — tracked as CVE-2026-21643 with a CVSS score of 9.8 — has been added to the CISA KEV catalog after confirmed in-the-wild exploitation. Because FortiClient EMS sits at the heart of endpoint posture and NAC enforcement in many Saudi banks, the blast radius extends from the management console to every managed laptop, ATM workstation, and branch endpoint under SAMA CSCC scope.

Why CVE-2026-21643 is more dangerous than a typical SQLi

The flaw lives in the FortiClient EMS web interface and is reached through the publicly exposed /api/v1/init_consts endpoint via a malformed Site HTTP header. Because the endpoint runs before authentication and returns verbose database errors with no rate limiting or lockout, an attacker can extract data within seconds. Bishop Fox traced the regression to a single change in EMS 7.4.4 where parameterized queries in the multitenancy layer were replaced with raw string interpolation — turning a hardened tenancy boundary into a pre-auth data-exfiltration primitive.

The escalation path is what makes this a board-level issue. In the official Fortinet virtual appliance, the PostgreSQL service account holds superuser privileges. That allows an attacker who has reached SQLi to abuse COPY ... TO/FROM PROGRAM to write files and execute OS commands as the postgres user on the underlying host — effectively converting an unauthenticated HTTP request into remote code execution on the EMS server.

Confirmed exploitation timeline

Fortinet published advisory FG-IR-25-672 on 6 February 2026. Bishop Fox and Horizon3.ai released technical write-ups in late March, and Help Net Security flagged in-the-wild exploitation on 30 March 2026. CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities catalog on 13 April 2026, requiring U.S. federal agencies to remediate within two weeks. CrowdSec telemetry has since logged 51 distinct attacking IPs probing exposed EMS instances — meaning Saudi banks running 7.4.4 with internet-reachable management interfaces have already been scanned, whether they know it or not.

Impact on Saudi financial institutions

FortiClient EMS is the central control plane for endpoint compliance, ZTNA tagging, and FortiNAC integration in a large share of Saudi tier-1 and tier-2 banks. A compromise of EMS yields three regulatory-grade incidents under SAMA Cyber Security Framework v1.0 and the SAMA Cyber Security Controls Compendium (CSCC):

1. Loss of endpoint integrity (CSCC 3.3.10 Endpoint Security): Attackers can extract managed-endpoint inventory — hostnames, IPs, OS versions, serial numbers — and silently re-tag devices as "compliant" to bypass NAC posture checks at branch and ATM segments.
2. Privileged credential exposure (CSCC 3.3.5 IAM, NCA ECC-2:2024 control 2-2-3): Admin password hashes, API tokens, JWT secrets, and AD service-account credentials stored in the EMS database become attacker-controlled — feeding lateral movement into AD, FortiAnalyzer, and connected SOAR pipelines.
3. Personal data exposure (PDPL Articles 18 & 25): Endpoint metadata that links a device to a named employee or customer-facing teller workstation is personal data under the Saudi Personal Data Protection Law. Unauthorized disclosure triggers SDAIA breach notification obligations within 72 hours.

For PCI-DSS v4.0.1 environments — every card-issuing bank and payment processor — Requirement 6.3.3 obliges installation of vendor-supplied critical patches within one month of release. The 6 February advisory means that window has already closed for unpatched institutions.

Recommendations and concrete steps

1. Patch immediately to FortiClient EMS 7.4.5 or later. If you are on 7.2.x or 8.0.x, you are not affected — but verify build numbers against Fortinet PSIRT advisory FG-IR-25-672, do not rely on branch labels alone.
2. If patching is delayed, kill the attack surface. Disable multitenancy mode (single-site deployments are not vulnerable) or restrict the EMS web interface to a management VLAN reachable only via jump host. Never expose /api/v1/init_consts to the internet — review your perimeter and FortiGate VIPs today.
3. Rotate every secret stored in EMS. Assume admin password hashes, API tokens, AD bind credentials, and FortiAnalyzer integration keys are compromised. Force password resets and re-issue API tokens before re-exposing the service.
4. Hunt for post-exploitation artifacts. Search EMS PostgreSQL logs for unusual COPY ... PROGRAM statements, unexpected child processes of postgres.exe or postgres, anomalous outbound connections from the EMS host, and modifications to pg_hba.conf. Pivot into FortiAnalyzer to look for endpoint re-tagging events that don't match a change ticket.
5. File a SAMA-aligned incident report. If exploitation is confirmed or even reasonably suspected, treat it as a Major Cyber Incident under SAMA CSCC 4.1 and notify the Banking Supervision Department within the prescribed window. Pre-build the notification template — don't draft it under pressure.
6. Add a virtual patch at the WAF. Block requests with suspicious Site headers (containing SQL meta-characters such as ', --, UNION, or hex-encoded payloads) destined for /api/v1/init_consts. Treat this as a stop-gap, not a substitute for patching.

Conclusion

CVE-2026-21643 is the canonical "small code change, catastrophic outcome" vulnerability — one regression turned a multitenancy feature into a pre-auth path to SYSTEM. Saudi banks that run FortiClient EMS as a compliance hub cannot treat this as a vendor-managed concern; the responsibility under SAMA CSCC, NCA ECC-2:2024, and PDPL stays with the regulated entity. The window for proactive patching is closing. The window for being asked uncomfortable questions in your next SAMA on-site has already opened.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a focused FortiClient EMS exposure review.