Fortinet FortiClient EMS SQL Injection Vulnerability
What it is
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Who's affected
Affects anyone whose internet connection goes through a Fortinet appliance — typically a FortiGate firewall or FortiClient VPN. The firewall sits between every device in the office and the internet; exploitation can mean an attacker gets inside the network perimeter without touching a workstation.
What to do
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA action deadline: April 16, 2026. Federal agencies must complete the required action by this date. For private SMBs the deadline is advisory — but treat it as a strong recommendation, especially if you handle regulated data (HIPAA, GLBA, ABA model rules).
If you don't have someone in-house to verify the patch deployed across every endpoint — or you're not sure whether you're affected — that's exactly the kind of triage we do. Book a free 20-minute triage call.
Severity
CVSS base score: 9.8 — CRITICAL
Weakness classification: CWE-89
Source
Pulled daily from the public cisagov/kev-data mirror (CC0). View the original entry on cisa.gov. CISA KEV is US-Government public-domain data; we add the SMB-vertical framing and the coping action above.