What happened

CISA added CVE-2026-21643 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-13, signaling confirmed exploitation in the wild CISA KEV catalog. The entry identifies an unauthenticated SQL injection in Fortinet FortiClient EMS that may allow execution of unauthorized code or commands via crafted HTTP requests CISA CVE-2026-21643 entry. The CVE is tracked by NIST with a CWE-89 classification (SQL Injection), aligning with the injection of untrusted input into SQL queries NVD CVE-2026-21643. CISA set a federal remediation due date of 2026-04-16 and directs agencies to apply vendor mitigations or discontinue use if unavailable CISA KEV required action. A corresponding record exists in the MITRE CVE database for cross-reference and coordination MITRE CVE-2026-21643.

Why it matters

Pre-authentication SQL injection on a management service is high-impact because it can enable arbitrary SQL execution and data manipulation without credentials CWE-89 (SQL Injection). In this case, CISA explicitly notes the potential to execute unauthorized code or commands via crafted HTTP requests, raising the risk from data theft to full system compromise depending on backend integrations CISA CVE-2026-21643 entry. Inclusion in the KEV catalog means exploitation has been observed, which elevates urgency for patching beyond theoretical risk CISA KEV program. SQL injection weaknesses are consistently exploited to read/modify application data, bypass authentication checks, and escalate privileges within the data layer CWE-89 (Impacts). When the vulnerable surface is reachable over HTTP, opportunistic scanning and automated exploitation become trivial, compressing the window between disclosure and compromise NVD CVE-2026-21643.

Technical detail

CVE-2026-21643 is categorized under CWE-89, indicating that user-controlled input is improperly concatenated into a SQL command, allowing an attacker to alter the query’s structure CWE-89 definition. According to CISA, exploitation requires only specially crafted HTTP requests, implying the vulnerable sink is accessible pre-authentication in a web-exposed code path CISA CVE-2026-21643 entry. NVD confirms the SQL injection classification and ties the vulnerability specifically to Fortinet FortiClient EMS, reinforcing that the affected component is the EMS application’s HTTP interface NVD CVE-2026-21643.

Typical SQL injection abuse allows attackers to exfiltrate table contents, modify records, or invoke database-native procedures if permissions permit, all of which are standard CWE-89 consequences CWE-89 (Consequences). CISA’s wording that this bug “may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests” highlights that post-injection impact can extend beyond raw data tampering, depending on application logic and database capabilities CISA KEV text. Because KEV inclusion denotes confirmed exploitation, defenders should assume adversaries are already automating discovery and payload delivery against any internet-exposed EMS endpoints CISA KEV program.

Defense

CISA mandates immediate remediation: apply vendor mitigations per the advisory, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2026-04-16 for federal agencies CISA KEV required action. Track CVE-2026-21643 in your vulnerability management system and raise priority due to KEV status, which indicates active exploitation pressure CISA KEV program. Where patching is not immediately feasible, reduce exposure by restricting access to the EMS HTTP interface and increasing monitoring on any remaining reachable endpoints, while preparing for service downtime if discontinuation is necessary per CISA guidance CISA KEV entry.

From a secure engineering standpoint, SQL injection is prevented by parameterized queries, strict input validation, and avoiding dynamic query concatenation, as defined by CWE-89 mitigation guidance CWE-89 (Mitigations). Detection signals that commonly indicate SQL injection include unexpected database error messages following HTTP requests, abnormal query timing patterns, and spikes in UNION/SELECT-like inputs, all of which map to typical CWE-89 exploitation artifacts CWE-89 (Detection). Validate that your asset inventory accurately identifies any deployments of FortiClient EMS and tie change-control to the KEV timeline so remediation is verifiable before the CISA due date CISA KEV timeline.

Lyrie Verdict

Pre-auth injection on a management-plane service is precisely the kind of target autonomous adversaries and rogue AI agents can harvest at scale, especially once a CVE hits KEV and exploit traffic spikes within hours CISA KEV program. Lyrie’s stance is machine-speed containment: model the EMS HTTP grammar and flag anomalous parameterization consistent with SQL injection, correlate with backend DB error/latency signals, and auto-isolate the service when pre-auth injection heuristics trip, then verify against the CVE ID for closure CWE-89 (Attack Patterns). Treat CVE-2026-21643 as active-fire; automate detection and response at the edge rather than waiting for manual triage, because KEV designation means exploitation is not hypothetical NVD CVE-2026-21643.