Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Critical FortiClient EMS RCE Vulnerability Actively Exploited in the Wild
CyberSecurity News

Critical FortiClient EMS RCE Vulnerability Actively Exploited in the Wild

Key Takeaways Two critical unauthenticated Remote Code Execution (RCE) vulnerabilities in FortiClient EMS are being actively exploited in the wild. Over 2,000 FortiClient EMS instances are publicly...

Emy Elsamnoudy
Emy Elsamnoudy
April 6, 2026 2 Min Read
28 0

Key Takeaways

  • Two critical unauthenticated Remote Code Execution (RCE) vulnerabilities in FortiClient EMS are being actively exploited in the wild.
  • Over 2,000 FortiClient EMS instances are publicly exposed globally, with two confirmed compromised.
  • The vulnerabilities, CVE-2026-35616 and CVE-2026-21643, allow attackers to gain full system control without credentials.
  • Fortinet has released patches, and immediate application is crucial for all affected organizations.

A critical alert has been issued to administrators overseeing FortiClient Enterprise Management Server (EMS) deployments, following confirmation that two severe unauthenticated remote code execution (RCE) vulnerabilities are under active exploitation. The Shadowserver Foundation, a non-profit security organization, identified over 2,000 internet-accessible EMS instances worldwide, with at least two already confirmed as compromised by threat actors leveraging these flaws.

Table Of Content

  • Key Takeaways
  • Scale of Exposure: Over 2,000 Instances Globally
  • What You Should Do

The vulnerabilities, identified as CVE-2026-35616 and CVE-2026-21643, both represent unauthenticated RCE flaws impacting Fortinet’s FortiClient EMS platform. While CVE-2026-35616 is a newly disclosed vulnerability, CVE-2026-21643 has been under recent scrutiny. The critical development is the verified in-the-wild exploitation of both, meaning attackers can execute arbitrary code on vulnerable servers without needing any authentication.

Unauthenticated RCE vulnerabilities are considered among the most dangerous security weaknesses. They enable malicious actors to remotely execute commands on a target system without requiring any credentials, potentially granting complete control over the compromised server and any endpoints it manages.

Scale of Exposure: Over 2,000 Instances Globally

Shadowserver’s extensive global sensor network has identified approximately 2,000 FortiClient EMS instances directly exposed to the public internet. Data from Shadowserver’s public dashboard indicates that the majority of these exposed systems are located in the United States and Germany.

Given that FortiClient EMS is designed as an enterprise solution for centralized management of Fortinet VPN clients and security policies across large organizations, the widespread exposure carries significant risks for corporate networks. A successful compromise of an EMS server could allow attackers to manipulate endpoint configurations, push malicious policy updates, steal VPN credentials, and establish persistent access across an organization’s entire fleet of managed endpoints.

This incident aligns with a broader trend of threat actors persistently targeting Fortinet infrastructure. Fortinet products frequently appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and both nation-state sponsored groups and ransomware operators have historically prioritized exploiting Fortinet flaws for initial access into enterprise environments.

What You Should Do

  • Apply Patches Immediately: Fortinet has released patches addressing CVE-2026-35616 and CVE-2026-21643. Apply these updates without delay.
  • Restrict External Access: Implement stringent firewall rules or VPN-gated access to limit internet-facing exposure of the EMS management interface.
  • Conduct Log Reviews: Thoroughly review system logs for any signs of anomalous activity, unauthorized configuration changes, or suspicious outbound network connections.
  • Monitor Shadowserver: Utilize Shadowserver’s public dashboard for ongoing intelligence regarding exposed EMS instances within your network ranges.
  • Enable Threat Detection: Configure your SIEM or EDR platforms to alert on indicators of compromise associated with these CVEs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CISA Adds TrueConf Vulnerability to KEV Catalog Following Active Exploitation

Next Post

Critical Redis RCE and C2 Malware Found in 36 Malicious npm Strapi Packages

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us