Fortinet Patches SQL Injection Vulnerability in FortiClientEMS
Fortinet has disclosed an SQL injection vulnerability in FortiClientEMS that could allow authenticated attackers to execute arbitrary SQL queries on the backend database.
Fortinet disclosed an SQL injection vulnerability (CWE-89) in its FortiClientEMS endpoint management server on April 14, 2026. The flaw, tracked under advisory FG-IR-26-102, carries a CVSSv3 score of 7.1 and affects multiple versions of the product. An authenticated attacker can exploit the vulnerability by sending specially crafted requests to the server, enabling them to run arbitrary SQL queries on the underlying database.
The vulnerability stems from improper neutralization of special elements used in SQL commands, a classic injection flaw that can lead to data exfiltration, modification, or privilege escalation within the database. FortiClientEMS is used by organizations to centrally manage Fortinet endpoint security clients, making it a high-value target for attackers seeking to pivot into broader network environments.
Affected versions include FortiClientEMS 7.4.0 through 7.4.5, 7.2.0 through 7.2.12, and all versions of 7.0. Fortinet has released patches for the supported branches: customers should upgrade to FortiClientEMS 7.4.6 or above, or 7.2.13 or above. For the 7.0 branch, which is no longer supported, Fortinet recommends migrating to a fixed release.
Notably, Fortinet has already remediated the issue in its cloud-based offerings. Customers using FortiClient Cloud or FortiSASE do not need to take any action, as the fix has been applied server-side. This approach ensures that the majority of cloud-managed deployments are protected without requiring manual patching.
The vulnerability was internally discovered and reported by David Maciejak, Gwendal Guegniaud, and Loic Pantano of the Fortinet Product Security team. The advisory was published on April 14, 2026, with no evidence of active exploitation reported at the time of disclosure.
This disclosure follows a pattern of SQL injection vulnerabilities in Fortinet products. Earlier in 2026, the company patched similar flaws in FortiNDR and FortiMail, highlighting the need for rigorous input validation across its product line. Organizations using on-premises FortiClientEMS deployments should prioritize patching to mitigate the risk of database compromise.