[Vulnerability Alert] High-Risk Security Vulnerabilities Found in FortiClient EMS (CVE-2026-21643 and CVE-2026-35616), Please Confirm and Patch Immediately

• Subject Explanation: [Vulnerability Alert] High-Risk Security Vulnerabilities Found in FortiClient EMS (CVE-2026-21643 and CVE-2026-35616), Please Confirm and Patch Immediately

• Content Description:
  • Forwarding National Information Security Analysis and Sharing Center (NISAC) Alert NISAC-200-202604-00000002
  • Researchers have discovered an SQL Injection vulnerability (CVE-2026-21643) and an Improper Access Control vulnerability (CVE-2026-35616) in FortiClient EMS. Both vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code.
  • Both vulnerabilities have already been exploited by hackers; please confirm and patch immediately.
• Impacted Platforms:
  • FortiClient EMS versions 7.4.x to 7.4.6
• Suggested Measures:
  • Please update FortiClient EMS 7.4.x versions to version 7.4.7 and later versions
• References:
  1. https://nvd.nist.gov/vuln/detail/CVE-2026-21643
  2. https://nvd.nist.gov/vuln/detail/CVE-2026-35616
  3. https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
  4. https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Computer and Communication Center
Network Systems Division