CVE-2026-21643: FortiClient EMS SQL Injection Under Active Attack — Patch Before Attackers Steal Your Endpoint Inventory

On March 26, 2026, threat actors began exploiting CVE-2026-21643 — a pre-authentication SQL injection in Fortinet FortiClient Endpoint Management Server (EMS) 7.4.4 that requires nothing more than a single crafted HTTP request to extract admin credentials, endpoint inventories, and security policies from the backing PostgreSQL database. With close to 1,000 FortiClient EMS instances exposed on Shodan globally, and Fortinet products deployed across Saudi banks, insurers, and fintech companies, this vulnerability demands immediate attention from every CISO operating under SAMA supervision.

How CVE-2026-21643 Works: One Header, Full Database Access

The root cause sits in a change Fortinet introduced to the multi-tenant database connection layer in version 7.4.4. Prior releases handled tenant selection through parameterized queries, but 7.4.4 replaced that approach with raw string interpolation on the Site HTTP header processed by the /api/v1/init_consts endpoint. The result is a textbook pre-authentication SQL injection. Bishop Fox's advisory demonstrates how an attacker can inject a payload such as Site: x'; SELECT pg_sleep(4)-- to confirm blind injection, then pivot to data exfiltration using stacked queries against PostgreSQL.

Because FortiClient EMS is the central management plane for an organization's entire endpoint fleet, a successful exploit gives attackers access to administrator credentials, managed endpoint inventories including hostnames and IP addresses, deployed security policies and antivirus configurations, and TLS certificates used for agent-to-server communication. An attacker who obtains these artifacts can disable endpoint protection silently, push malicious policies to managed devices, or impersonate the EMS server to deploy backdoored agent updates — turning a single SQL injection into a full-blown supply chain compromise.

Active Exploitation Timeline and Current Status

Defused Cyber's telemetry pinpoints initial exploitation to March 26, 2026 — four days before the public advisory cycle caught up. Despite confirmed in-the-wild attacks, CISA has not yet added CVE-2026-21643 to its Known Exploited Vulnerabilities (KEV) catalog as of April 1. This lag means organizations relying exclusively on KEV-driven patching cadences are operating with a blind spot. Security researchers at SecPod and SOC Prime have published detection signatures, and Bleeping Computer confirmed multiple incident reports tied to the flaw.

The vulnerability carries a CVSS score of 9.1 and affects only FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not impacted. Fortinet released the fix in version 7.4.5, and organizations should treat this upgrade as an emergency change rather than a routine maintenance window.

Why This Matters for Saudi Financial Institutions

Fortinet products are deeply embedded in Saudi financial infrastructure. Banks, insurance companies, and payment processors use FortiClient EMS to manage endpoint agents across branch networks, remote workforces, and ATM fleets. A compromise of the EMS server effectively hands an attacker the keys to every managed endpoint in the organization — a scenario that directly violates several SAMA Cyber Security Framework (CSCC) domains.

SAMA CSCC Domain 3 (Technology Risk Management) requires institutions to maintain secure configuration baselines and patch critical vulnerabilities within defined SLAs. Domain 5 (Cyber Security Operations) mandates continuous monitoring and incident detection capabilities that should flag anomalous SQL injection traffic against internal management interfaces. Furthermore, NCA's Essential Cybersecurity Controls (ECC-2:2024) Control 2-7-3 requires organizations to apply critical security patches within 48 hours of vendor release when active exploitation is confirmed. Any institution running FortiClient EMS 7.4.4 that has not upgraded to 7.4.5 is now non-compliant with this control.

The data exposed through this vulnerability — endpoint inventories, security policies, admin credentials — also falls squarely under the Saudi Personal Data Protection Law (PDPL). If attackers exfiltrate employee device records or use stolen certificates to intercept communications, the resulting breach triggers PDPL notification obligations and potential penalties.

Immediate Remediation Steps

1. Verify your FortiClient EMS version. Run fctems --version or check the admin console. If you are on 7.4.4 with multi-tenancy enabled, you are vulnerable. Upgrade to 7.4.5 immediately through Fortinet's support portal.
2. Restrict network access to the EMS administrative interface. The /api/v1/init_consts endpoint should never be reachable from the internet. Apply firewall rules to limit access to authorized management VLANs only. Review Shodan and Censys for any unintended exposure of your EMS instance.
3. Rotate all EMS administrator credentials. Assume credentials stored in the PostgreSQL database have been compromised if your instance was internet-facing at any point since March 26. Rotate passwords, revoke and reissue TLS certificates used for agent communication, and regenerate API tokens.
4. Audit endpoint agent integrity. Compare deployed agent versions and policy checksums against known-good baselines. Look for unauthorized policy changes, disabled real-time protection, or unexpected agent update pushes that could indicate post-exploitation activity.
5. Deploy detection rules. Add IDS/IPS signatures for SQL injection patterns in the Site HTTP header targeting FortiClient EMS endpoints. SOC Prime's Threat Detection Marketplace has published Sigma rules for CVE-2026-21643 that can be imported into your SIEM.
6. Review PostgreSQL logs. Search for anomalous queries, especially pg_sleep, COPY TO, or lo_export commands originating from the EMS application. These indicate active exploitation attempts or successful data exfiltration.
7. Report to SAMA and NCA. If evidence of exploitation is found, Saudi financial institutions are required to notify SAMA's Cyber Threat Intelligence unit and file an incident report per CSCC Domain 6 (Cyber Security Incident Management) within the mandated timeframe.

Broader Lessons: Why Endpoint Management Servers Are High-Value Targets

CVE-2026-21643 follows a pattern that CISOs should recognize by now. Endpoint management platforms — whether FortiClient EMS, Microsoft SCCM, Ivanti EPM, or ManageEngine — sit at the intersection of maximum privilege and minimum scrutiny. They hold credentials for every managed device, yet they are often treated as internal tools exempt from the same hardening applied to internet-facing assets. Attackers know this. The SolarWinds Orion compromise in 2020, the Kaseya VSA attack in 2021, and now this FortiClient EMS flaw all follow the same playbook: compromise the management plane, own the fleet.

Saudi institutions operating under SAMA's oversight should classify endpoint management servers as Tier-1 critical assets, subject to the same vulnerability management SLAs, network segmentation, and monitoring intensity as core banking systems. The ECC-2:2024 framework's expanded scope in Control 2-3 (Asset Management) provides the regulatory basis for this classification.

Conclusion

CVE-2026-21643 is not a theoretical risk — exploitation is live, the attack is trivial, and the payoff for adversaries is enormous. Every Saudi financial institution running FortiClient EMS should verify their version, patch to 7.4.5, and conduct a forensic review of their EMS server and managed endpoints. Waiting for CISA's KEV listing or the next audit cycle is not an option when attackers are already inside the window.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your endpoint management infrastructure security posture.