Another Fortinet vulnerability. Another active exploitation timeline that started before most partners heard about it. Here’s what you need to know and what you need to do before you close your laptop tonight.

The Vulnerability

CVE-2026-21643 is a pre-authentication SQL injection in FortiClient Endpoint Management Server (EMS) version 7.4.4. It affects multi-tenant deployments only. Single-site installations are not impacted.

The flaw exists in how FortiClient EMS handles tenant identification. Version 7.4.4 refactored the middleware stack and database connection layer for multi-tenant support. During that refactor, the HTTP header used to identify which tenant a request belongs to started getting passed directly into a database query without sanitization, and that happens before any login check.

Translation: an attacker who can reach the EMS web interface over HTTPS doesn’t need credentials. One crafted HTTP request is enough to execute arbitrary SQL against the PostgreSQL database backing the server.

What does that give them? Admin credentials. Endpoint inventory data. Security policies. Certificates for managed endpoints. Everything you’d need to pivot from “I found the management server” to “I own the managed endpoints.”

Bishop Fox published a detailed technical analysis in early March. Defused Cyber confirmed active exploitation started about four days ago. As of now, Fortinet’s own advisory still doesn’t flag it as actively exploited. CISA’s KEV list doesn’t include it either.

The Fix

Upgrade to FortiClient EMS 7.4.5. That’s it. Branches 7.2 and 8.0 are not affected.

If you can’t upgrade immediately, check whether your EMS web interface is publicly exposed. Shadowserver is tracking over 2,400 FortiClient EMS instances with web interfaces on the open internet. Shodan shows roughly 1,000 publicly accessible. If yours is one of them and you’re running 7.4.4 in multi-tenant mode, you are exposed right now.

The Pattern

Here’s what should bother you more than this specific CVE. David Shipley of Beauceron Security put it bluntly to CSO Online: “This is Fortinet’s seventh SQL CVE over the past 12 months, and that’s frankly seven too many.”

Seven SQL injection vulnerabilities in 12 months. SQL injection has been the number one application security risk on the OWASP Top 10 for over 20 years. These aren’t novel attack patterns. They’re the fundamentals.

And the Fortinet vulnerability timeline this year reads like a greatest hits album of things that shouldn’t happen to a security vendor. AI-assisted attacks on weakly-protected FortiGate firewalls. Zero-day exploitation against customer devices. Stolen firewall credentials. Criticism over silent patching practices. And now this: a critical flaw in the management server MSPs use to run multi-tenant endpoint deployments.

If you’re an MSP running FortiClient EMS for multiple customers from a single instance, you need to think about this in terms of blast radius. A compromise of your management server doesn’t affect one customer. It affects all of them. The ScreenConnect CVE-2026-3564 lesson applies here too: when your management tools are the attack surface, the scale that makes your business efficient is the same scale that makes a breach catastrophic.

What To Do Monday Morning

  1. Check your FortiClient EMS version. If you’re on 7.4.4 with multi-tenant enabled, upgrade to 7.4.5 tonight or first thing tomorrow.
  2. Audit your exposure. Is the EMS web interface accessible from the internet? If yes, restrict access to VPN or internal networks only until you’ve patched.
  3. Review your endpoint certificates. If you suspect compromise, assume the certificates and admin credentials stored in EMS are burned. Rotate them.
  4. Have the Fortinet conversation with your team. Seven SQL injection CVEs in a year from a security vendor is a pattern, not a fluke. Your MSP tools are your attack surface. Evaluate whether your Fortinet deployment model matches the risk you’re willing to carry.

SonicWall’s 2026 Cyber Protect Report dropped today with a finding that should haunt every MSP: 85% of actionable security alerts come from credential and identity compromise. The irony of a management server vulnerability that hands over admin credentials and endpoint certificates isn’t subtle.

Patch. Audit. Move.