Another Day, Another Management Console Owned. Fortinet EMS Makes It Five CVSS 9.8+ in Two Weeks.

FortiClient EMS — the server that manages Fortinet's endpoint security agents — has a CVSS 9.8 SQL injection that's being actively exploited in the wild. Unauthenticated. Through the web GUI. Low complexity. Remote code execution.

CVE-2026-21643. Active since March 26. Not yet in CISA's KEV catalog. Defused confirmed exploitation on March 30. Fortinet has patches. Most organizations haven't applied them.

This is the fifth management interface with a CVSS 9.8+ vulnerability actively exploited in the last two weeks.

The Scoreboard

Five management interfaces. Five maximum-severity vulnerabilities. Five active exploitation campaigns. Two weeks.

The tools that manage your security — your firewall console, your endpoint management server, your disaster recovery controller, your application server admin panel, your hardware management interface — are the most dangerous things in your environment.

The Fortinet EMS Attack

FortiClient EMS is where administrators manage their entire Fortinet endpoint deployment. Every FortiClient agent across every laptop, desktop, and server in the organization reports to EMS. EMS pushes policies, updates, and configurations. It has administrative authority over every endpoint.

The vulnerability: SQL injection through the EMS web interface. An unauthenticated attacker sends a crafted HTTP request to the GUI. The SQL injection executes. The attacker has code execution on the EMS server.

• Push malicious policies to every managed endpoint

• Disable endpoint protection across the fleet

• Harvest credentials from the EMS database

• Deploy ransomware through the legitimate management channel

• Access every endpoint that trusts the EMS server

Sound familiar? Handala used Microsoft Intune to wipe 200,000 Stryker devices. Same pattern — compromise the management server, weaponize the trust relationship with managed endpoints.

FortiClient EMS manages endpoint security. The management server for your endpoint security is the endpoint security vulnerability.

Why Management Interfaces Keep Getting Owned

Five in two weeks isn't coincidence. It's a pattern. Management interfaces share characteristics that make them ideal targets:

Maximum privilege. The management console has administrative access to everything it manages. FMC has root on every firewall. EMS controls every endpoint. RecoverPoint has root on the VM infrastructure. Compromise one server, own the fleet.

Web-accessible. Every one of these products ships with a web GUI. The web GUI needs to be accessible to administrators, which often means accessible from the corporate network. SQL injection, Java deserialization, authentication bypass — web application vulnerabilities that have been well-understood for 20 years, applied to the most privileged servers in the environment.

Trusted implicitly. Endpoints trust their management server. Firewalls trust FMC. FortiClient agents trust EMS. When the management server sends a command, the managed device executes it without question. The trust model has no kill switch — there's no "verify this command came from a non-compromised management server" check.

Patched last. Management servers are the hardest things to patch because patching them requires a maintenance window that affects every managed device. CISOs delay patching the management infrastructure because downtime on the management server means blind spots across the fleet. The result: the most privileged, most trusted, most web-accessible servers are also the most likely to be running vulnerable versions.

The Ransomware Connection

Akira (Punk Spider) specifically targets VPN infrastructure without MFA for initial access — including Fortinet's VPN products. Now their endpoint management server has a CVSS 9.8 RCE.

The kill chain: Akira compromises a Fortinet VPN → pivots to the FortiClient EMS server → exploits CVE-2026-21643 → owns every managed endpoint → deploys ransomware fleet-wide through the legitimate management channel.

The endpoint security product delivers the ransomware. The managed devices trust the command because it came from their management server.

The Week's Thesis — Final Count

This week we documented trusted tools becoming attack surfaces:

Nine trusted tools. Nine attack surfaces. One week.

From the kernel-level agent to the GPU memory to the endpoint management server to the firewall console. Every layer. Every direction. Every vendor. The thesis holds: the tools you trust most are the tools that hurt worst when they're compromised.

What To Do

1. Patch to 7.0.11, 7.2.5, or 7.4.2 immediately

2. Check EMS access logs for unusual HTTP requests to the web GUI

3. Restrict EMS web interface to management VLAN — do not expose to the general corporate network

4. Enable MFA on FortiClient VPN (Akira targets VPNs without MFA)

1. Assume it's the highest-value target in your environment — because it is

2. Network-segment the management interface behind a jump box or VPN

3. Patch management infrastructure first, not last

4. Monitor for authentication anomalies on management GUIs

5. Ask your vendor: "What happens if this management server is compromised?" If the answer is "everything," your architecture has a single point of failure

The IOCs for Fortinet exploitation, Akira/Punk Spider VPN targeting, and every management interface CVE from this week are in our STIX feed:

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

Five management interfaces with CVSS 9.8+ in two weeks. Cisco FMC, Dell RecoverPoint, Oracle WebLogic, Cisco IMC, Fortinet EMS. Every one manages something critical. Every one was the vulnerability, not the protection.

The management console is the front door. It has been all along. We just spent a week proving it.