The Shadowserver Foundation has issued a critical alert to administrators of FortiClient Enterprise Management Server (EMS) after uncovering more than 2,000 publicly accessible instances worldwide. Alarmingly, two of these instances have been confirmed as actively exploited due to critical unauthenticated remote code execution (RCE) vulnerabilities.
Two significant vulnerabilities, designated as CVE-2026-35616 and CVE-2026-21643, are the focus of this alert. Both are classified as unauthenticated RCE flaws and are being exploited in the wild, posing a direct threat to Fortinet’s FortiClient EMS platform.
Active Exploitation of Vulnerabilities
The CVE-2026-35616 vulnerability has recently been disclosed, while CVE-2026-21643 has been under observation for some weeks. Crucially, both vulnerabilities have been confirmed as targets for threat actors actively exploiting unpatched systems without requiring authentication credentials.
Unauthenticated RCE vulnerabilities are among the most serious security issues, allowing attackers to execute arbitrary code on a vulnerable server without the need for a username or password. This can potentially grant attackers full control over the affected system and any endpoints it manages.
Global Exposure and Implications
Through its extensive global sensor network, Shadowserver identified approximately 2,000 FortiClient EMS instances exposed to the public internet. According to Shadowserver’s public dashboard, the United States and Germany are the most affected countries.
FortiClient EMS is a crucial enterprise endpoint management solution, managing Fortinet VPN clients and security policies across large organizations. The exposure of these systems poses significant risks to corporate networks, potentially allowing attackers to manipulate configurations and access sensitive data.
Security Measures and Recommendations
A compromised EMS server could enable attackers to alter endpoint configurations, distribute malicious updates, obtain VPN credentials, and maintain persistent access across an organization’s network.
This alert highlights a broader trend of targeting Fortinet infrastructure, with Fortinet products frequently appearing in CISA’s Known Exploited Vulnerabilities catalog. Both nation-state groups and ransomware operators have historically prioritized exploiting Fortinet vulnerabilities.
Organizations using FortiClient EMS should immediately apply patches provided by Fortinet to address CVE-2026-35616 and CVE-2026-21643. Additionally, they should restrict internet-facing access, review logs for suspicious activity, and monitor Shadowserver’s dashboard for exposure insights.
Fortinet advises customers to review its security advisories and update to patched firmware versions without delay. Given the confirmed active exploitation, prompt action is essential to mitigate risks.
Stay informed with our daily cybersecurity updates by following us on Google News, LinkedIn, and X. For more information or to feature your stories, contact us.
