CVE-2026-21643 (CVSS 9.8, Critical) is a SQL injection vulnerability (CWE-89) in Fortinet FortiClient Endpoint Management Server reported under active exploitation as of late March 2026, enabling unauthenticated remote code execution against the EMS host, which typically holds endpoint configuration, compliance policies, and managed device credentials. CISA KEV listing was not confirmed at time of data collection, but multiple secondary sources corroborate active exploitation; EPSS signal (15.8th percentile) lags behind the reported real-world risk. Organizations should immediately restrict EMS network exposure to trusted management hosts only, apply the Fortinet PSIRT-confirmed patch, and conduct forensic review of the EMS host and all managed endpoints for signs of persistent post-exploitation activity if exploitation is confirmed.