On 6 February 2026, Fortinet released fixes for a critical vulnerability in FortiClientEMS, tracked as CVE-2026-21643. The flaw arises from improper neutralisation of special elements used in SQL commands in the FortiClientEMS GUI (web interface) that can allow an unauthenticated remote threat actor to execute unauthorised code or commands.
At the time of this writing, CVE‑2026‑21643 has not been observed being exploited in the wild, and Arctic Wolf has not identified a publicly available proof-of-concept. Due to the level of access this vulnerability provides, threat actors may attempt to reverse engineer the patches, especially since Fortinet products have been heavily targeted in the past, as indicated by CISA’s Known Exploited Vulnerabilities Catalog.
Recommendation for CVE-2026-21643
Apply Fixes
Arctic Wolf strongly recommends that customers apply the fix.
| Product | Affected Version | Fixed Version |
| FortiClientEMS | 7.4.4 | 7.4.5 |
Note: FortiClientEMS versions 7.2 and 8.0 are unaffected by this vulnerability.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
