CVE-2026-21643 is a reported CVSS 9.8 critical vulnerability in Fortinet FortiClient EMS with active exploitation reported by secondary sources; CWE-89 (SQL Injection) is a medium-confidence classification pending Fortinet PSIRT confirmation, and specific affected version ranges have not been confirmed from primary sources. Because FortiClient EMS is the central management plane for enterprise endpoint security, a successful compromise equates to losing control of the entire endpoint security stack. Immediately restrict external network access to EMS management interfaces and validate affected scope directly against the Fortinet PSIRT advisory at fortiguard.com/psirt before finalizing the patch response.