Severity
High
Analysis Summary
The Shadowserver Foundation has issued an urgent alert regarding FortiClient Enterprise Management Server (EMS) deployments, identifying over 2,000 instances exposed to the public internet worldwide. Among these, two instances are confirmed to be actively exploited through critical unauthenticated remote code execution (RCE) vulnerabilities, specifically CVE-2026-35616 and CVE-2026-21643. While CVE-2026-35616 is newly disclosed, CVE-2026-21643 has been under scrutiny recently. Both vulnerabilities allow attackers to execute arbitrary code on affected servers without authentication, posing extreme risk to organizations relying on FortiClient EMS for endpoint management.
The scale of exposure is significant, with the United States and Germany being the most affected countries according to Shadowserver’s global sensor data. Given FortiClient EMS’s role in centrally managing VPN clients, security policies, and endpoints across large organizations, compromised EMS servers could provide attackers with the ability to manipulate endpoint configurations, push malicious policies, harvest VPN credentials, and maintain persistent access across an entire enterprise network.
This alert aligns with an ongoing trend of threat actors targeting Fortinet infrastructure. Fortinet products, including EMS, have frequently appeared in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Both nation-state actors and ransomware operators have historically prioritized Fortinet vulnerabilities for initial access, making unpatched EMS instances particularly attractive targets. The current in-the-wild exploitation highlights the urgency for organizations to address these flaws immediately.
To mitigate these risks, organizations should promptly apply Fortinet’s patches for CVE-2026-35616 and CVE-2026-21643, restrict public internet access to EMS interfaces through firewalls or VPNs, and monitor logs for suspicious activity or unauthorized configuration changes. Additional measures include monitoring Shadowserver dashboards for exposure intelligence and enabling alerts in SIEM or EDR systems for indicators linked to these vulnerabilities. Immediate action is critical to prevent attackers from leveraging these unauthenticated RCE flaws for network compromise and endpoint control.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2026-35616
CVE-2026-21643
Remediation
- Apply security patches immediately, install Fortinet’s patches addressing CVE-2026-35616 and CVE-2026-21643 without delay.
- Restrict internet-facing access, limit access to EMS management interfaces via firewall rules or VPN-gated access.
- Monitor logs for suspicious activity, check for unauthorized configuration changes, unusual outbound connections, or anomalous endpoint behavior.
- Enable threat detection alerts, configure SIEM or EDR platforms to detect indicators related to these CVEs.
- Use exposure intelligence, monitor Shadowserver dashboards to track any EMS instances in your network that may be publicly accessible.
- Review endpoint policies, ensure no malicious or unauthorized policies have been pushed to managed endpoints.
- Follow Fortinet advisories, consult official Fortinet security advisories for guidance and upgrade to the latest patched firmware.