Critical FortiClient EMS RCE Vulnerability Actively Exploited in the Wild
Key Takeaways Two critical unauthenticated Remote Code Execution (RCE) vulnerabilities in FortiClient EMS are being actively exploited in the wild. Over 2,000 FortiClient EMS instances are publicly...
Key Takeaways
- Two critical unauthenticated Remote Code Execution (RCE) vulnerabilities in FortiClient EMS are being actively exploited in the wild.
- Over 2,000 FortiClient EMS instances are publicly exposed globally, with two confirmed compromised.
- The vulnerabilities, CVE-2026-35616 and CVE-2026-21643, allow attackers to gain full system control without credentials.
- Fortinet has released patches, and immediate application is crucial for all affected organizations.
A critical alert has been issued to administrators overseeing FortiClient Enterprise Management Server (EMS) deployments, following confirmation that two severe unauthenticated remote code execution (RCE) vulnerabilities are under active exploitation. The Shadowserver Foundation, a non-profit security organization, identified over 2,000 internet-accessible EMS instances worldwide, with at least two already confirmed as compromised by threat actors leveraging these flaws.
The vulnerabilities, identified as CVE-2026-35616 and CVE-2026-21643, both represent unauthenticated RCE flaws impacting Fortinet’s FortiClient EMS platform. While CVE-2026-35616 is a newly disclosed vulnerability, CVE-2026-21643 has been under recent scrutiny. The critical development is the verified in-the-wild exploitation of both, meaning attackers can execute arbitrary code on vulnerable servers without needing any authentication.
Unauthenticated RCE vulnerabilities are considered among the most dangerous security weaknesses. They enable malicious actors to remotely execute commands on a target system without requiring any credentials, potentially granting complete control over the compromised server and any endpoints it manages.
Scale of Exposure: Over 2,000 Instances Globally
Shadowserver’s extensive global sensor network has identified approximately 2,000 FortiClient EMS instances directly exposed to the public internet. Data from Shadowserver’s public dashboard indicates that the majority of these exposed systems are located in the United States and Germany.
Given that FortiClient EMS is designed as an enterprise solution for centralized management of Fortinet VPN clients and security policies across large organizations, the widespread exposure carries significant risks for corporate networks. A successful compromise of an EMS server could allow attackers to manipulate endpoint configurations, push malicious policy updates, steal VPN credentials, and establish persistent access across an organization’s entire fleet of managed endpoints.
This incident aligns with a broader trend of threat actors persistently targeting Fortinet infrastructure. Fortinet products frequently appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and both nation-state sponsored groups and ransomware operators have historically prioritized exploiting Fortinet flaws for initial access into enterprise environments.
What You Should Do
- Apply Patches Immediately: Fortinet has released patches addressing CVE-2026-35616 and CVE-2026-21643. Apply these updates without delay.
- Restrict External Access: Implement stringent firewall rules or VPN-gated access to limit internet-facing exposure of the EMS management interface.
- Conduct Log Reviews: Thoroughly review system logs for any signs of anomalous activity, unauthorized configuration changes, or suspicious outbound network connections.
- Monitor Shadowserver: Utilize Shadowserver’s public dashboard for ongoing intelligence regarding exposed EMS instances within your network ranges.
- Enable Threat Detection: Configure your SIEM or EDR platforms to alert on indicators of compromise associated with these CVEs.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.