Yet another critical flaw in a Fortinet product has come to light as attackers continue to target the company, this time by actively exploiting a critical SQL injection vulnerability in the cybersecurity company’s management server. The vulnerability, (CVE-2026-21643), allows unauthenticated threat actors to execute arbitrary code on unpatched systems via specifically-crafted HTTP requests. These low-complexity attacks target the FortiClient Endpoint Management Server (EMS), a widely-used cybersecurity tool.  The CVE was being abused as recently as four days ago, according to research from red-teaming company Defused Cyber, and reflects a concerning trend for the cybersecurity giant, which  ...