CRITICAL 1 min read 31 Mar 2026

Fortinet FortiClient EMS — Critical RCE Vulnerability CVE-2026-21643

Unauthenticated SQL injection in FortiClient EMS 7.4.4 has enabled confirmed remote code execution. Organisations are advised to patch immediately as exploitation is active.

Key findings
01
CVE-2026-21643 — FortiClient EMS Vulnerability
HIGH
[High] Confidence: High Fortinet’s FortiClient EMS version 7.4.4 contains a critical unauthenticated SQL injection vulnerability, identified as CVE-2026-21643. This flaw allows unauthenticated remote attackers to execute arbitrary code on the affected server.
CVE-2026-21643
02
Update: F5 BIG-IP Vulnerability (CVE-2025-53521)
CRITICAL
[High] Confidence: High CVE-2025-53521 in F5 BIG-IP APM has been reclassified from a Denial of Service (DoS) flaw to an unauthenticated Remote Code Execution (RCE) vulnerability.
CVE-2025-53521
03
OpenClaw Infrastructure CVE Cluster
CRITICAL
[High] Confidence: High A series of vulnerabilities has been disclosed affecting the OpenClaw infrastructure, including CVE-2026-32979 (Approval Integrity Bypass), CVE-2026-33575 (Credential Disclosure), and CVE-2026-3689 (Canvas Path Traversal).
CVE-2026-32979

Fortinet FortiClient EMS — Critical RCE Vulnerability CVE-2026-21643

CVE-2026-21643 — FortiClient EMS Vulnerability

Confidence: High

Fortinet’s FortiClient EMS version 7.4.4 contains a critical unauthenticated SQL injection vulnerability, identified as CVE-2026-21643. This flaw allows unauthenticated remote attackers to execute arbitrary code on the affected server.

Active exploitation of this vulnerability has been confirmed since 26 March 2026. Given the widespread deployment of Fortinet solutions within UK and EU enterprise environments, this poses an immediate risk to infrastructure integrity.

Update: F5 BIG-IP Vulnerability (CVE-2025-53521)

Confidence: High

CVE-2025-53521 in F5 BIG-IP APM has been reclassified from a Denial of Service (DoS) flaw to an unauthenticated Remote Code Execution (RCE) vulnerability. Active exploitation involving the deployment of webshells is now confirmed, and the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalogue.

OpenClaw Infrastructure CVE Cluster

Confidence: High

A series of vulnerabilities has been disclosed affecting the OpenClaw infrastructure, including CVE-2026-32979 (Approval Integrity Bypass), CVE-2026-33575 (Credential Disclosure), and CVE-2026-3689 (Canvas Path Traversal). Users are urged to verify that their OpenClaw gateway instances are updated to version 2026.3.12 or later to mitigate these risks.

Why This Matters

The rapid emergence of multiple CVSS 9.0+ vulnerabilities—including critical RCE flaws in widely deployed enterprise tools like Fortinet and F5—significantly increases the attack surface for UK organisations. Attackers are aggressively weaponising these flaws, moving from proof-of-concept to active exploitation in a matter of days.

  • Recommended Actions
  • Fortinet: Patch FortiClient EMS to the latest secure version immediately.
  • F5: Apply the vendor-provided patches (17.1.3, 17.5.1.3, 16.1.6.1, 15.1.10.8) and perform a post-upgrade compromise check.
  • OpenClaw: Verify current gateway versions and apply patches for the disclosed CVEs.
  • Audit: Review infrastructure for exposure of these specific services and restrict access accordingly.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 31 March 2026.

cve-2025-53521cve-2026-21643cve-2026-32979cybersecurityfortinetukenterprise

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed