Here’s your Monday report on immediate and emerging threats. Powered by the CrowdSec Network.
A critical Fortinet management flaw is now drawing real attacker attention
The CrowdSec Network is tracking exploitation attempts targeting CVE-2026-21643, a critical SQL injection vulnerability in Fortinet FortiClient EMS 7.4.4. This bug affects the central management server that many IT and security teams use to administer endpoint protection, remote access settings, and device posture at scale. Fortinet published the advisory on 6 February 2026; CISA added the issue to its Known Exploited Vulnerabilities catalog on 13 April; CrowdSec shipped a detection rule on 15 April; and we first observed in-the-wild exploitation on 20 April. Since then, CrowdSec has seen 51 distinct attacking IPs.
Key findings
- The public warning signs escalated quickly: Fortinet disclosed CVE-2026-21643 on 6 February 2026, CISA moved it into KEV on April 13, CrowdSec released detection coverage on April 15, and exploitation reached our network on April 20.
- The activity is active but not yet internet-noisy: CrowdSec has observed 51 distinct attacking IPs between April 20 and April 27, indicating meaningful attacker interest without the kind of giant spray-and-pray wave seen in more commoditized campaigns.
- The vulnerability affects a core administrative system: FortiClient EMS, which is used to centrally manage endpoints. If attackers gain access here, they are not probing a low-impact public-facing service. They are moving closer to the systems used to control user devices and security settings.
What is FortiClient EMS?
FortiClient EMS is Fortinet’s central management platform for endpoints. It is used by desktop engineering teams, IT administrators, and security operations teams to manage endpoint protection, VPN profiles, compliance policies, and remote device posture from a single location.
Why it matters: When a vulnerability affects an endpoint management server, the blast radius extends beyond the server itself. These systems often sit close to identity systems, endpoint inventories, policy data, and remote access configurations. In business terms, this is less like a broken window and more like someone finding the badge printer room.
How does CVE-2026-21643 work?
According to Fortinet’s advisory, the flaw is an unauthenticated SQL injection in the FortiClient EMS administrative interface. Public exploit material and a public Nuclei detection template show the same attack path: requests to the /api/v1/init_consts endpoint can inject malicious SQL through the Site HTTP header.
That matters because the vulnerable input is passed into the backend database handling without proper sanitization. In practical terms, that can let an attacker send crafted requests that:
- trigger database errors that confirm the target is vulnerable
- extract or manipulate stored data
- potentially chain into unauthorized code or command execution, depending on the database capabilities and server configuration
This is one of those bugs that looks deceptively simple from the outside. It is just one request and one header, but it targets an exposed management interface with no authentication required.
Original advisory: Fortinet PSIRT advisory FG-IR-25-1142
Research and public exploit reference: 0xBlackash PoC repository
Detection reference: ProjectDiscovery Nuclei template for CVE-2026-21643
Reporter attribution: Fortinet credits Gwendal Guégniaud of Fortinet Product Security for the internal discovery and report.
Threat Landscape Analysis
The current CrowdSec picture suggests real-world exploitation with measured volume. We are not yet seeing a large wall of traffic, and CrowdSec’s current exploitation phase remains marked as insufficient data for a stronger behavioral classification. That said, defenders should not read that as a sign of comfort. The combination of a CVSS score of 9.1, public exploit code, a public Nuclei template, and CISA KEV status makes this exactly the kind of vulnerability that can move from selective probing to broader abuse with very little notice.
The timing is also useful. CrowdSec released detection coverage on April 15, and live exploitation appeared in our telemetry within 5 days. That is a short runway for defenders, especially when the vulnerable system is an administrative platform that may still be reachable from the internet for convenience.
How to protect your systems
Patch: Fortinet states that FortiClient EMS 7.4.4 is affected and recommends upgrading to 7.4.5 or above. FortiClient EMS 7.2 and 8.0 are listed as not affected in the vendor advisory. If you are still on 7.4.4, treat this as an urgent issue.
Preemptive blocking: If you cannot patch immediately, do not leave the EMS administrative interface exposed to the open internet. Restrict access via a VPN, an identity-aware proxy, or a tightly controlled allowlist. Put a WAF in front of the application and inspect for suspicious requests to /api/v1/init_consts, especially those carrying abnormal Site header values. CrowdSec users should make sure their detection stack is updated and review CrowdSec CTI for CVE-2026-21643.