The Shadowserver Foundation has issued an urgent warning to administrators of FortiClient Enterprise Management Server (EMS), revealing that more than 2,000 instances are currently exposed to the public internet, with active exploitation already confirmed in multiple cases. The alert highlights the growing risk to enterprise environments as attackers increasingly target unpatched and internet-facing management systems.
At the center of the warning are two critical vulnerabilities – CVE-2026-35616 and CVE-2026-21643 – both classified as unauthenticated remote code execution (RCE) flaws. While CVE-2026-35616 has only recently been disclosed, CVE-2026-21643 has been under scrutiny in recent weeks. Security researchers have now confirmed that both vulnerabilities are being actively exploited in the wild, significantly elevating the threat level for affected organizations.
Unauthenticated RCE vulnerabilities are considered among the most dangerous security flaws, as they allow attackers to execute arbitrary code on vulnerable systems without requiring any login credentials. This means threat actors can potentially gain full control over affected servers and the endpoints they manage, making these vulnerabilities particularly critical for enterprise infrastructure.
Shadowserver’s findings indicate that approximately 2,000 FortiClient EMS instances are currently accessible online. The highest concentration of exposed systems has been identified in the United States and Germany, though the risk extends globally. Given that FortiClient EMS is widely used to centrally manage VPN clients and enforce security policies across enterprise networks, the implications of such exposure are severe.
If compromised, an EMS server could provide attackers with extensive control over an organization’s endpoint ecosystem. This includes the ability to manipulate configurations, deploy malicious updates, steal VPN credentials, and establish persistent access across multiple systems. The centralized nature of EMS amplifies the potential impact, turning a single vulnerability into a gateway for widespread network compromise.
This development aligns with a broader trend of threat actors increasingly targeting Fortinet infrastructure. Fortinet products have frequently appeared in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and both ransomware groups and nation-state actors have historically leveraged these vulnerabilities as entry points into enterprise environments.
Security experts are urging organizations to take immediate action to mitigate the risk. This includes applying the latest patches released by Fortinet for both CVE-2026-35616 and CVE-2026-21643, restricting public access to EMS management interfaces, and implementing strict access controls such as VPN-based restrictions. Additionally, organizations should conduct thorough log reviews to identify any signs of compromise, including unauthorized configuration changes or suspicious outbound connections.
Continuous monitoring is also critical. Enterprises are advised to track exposure through Shadowserver’s intelligence feeds and enable advanced threat detection alerts via SIEM or endpoint detection and response (EDR) platforms to identify indicators associated with these vulnerabilities.
Fortinet has strongly advised customers to upgrade to patched versions immediately and review official security advisories for detailed remediation guidance. With confirmed in-the-wild exploitation already underway, security teams cannot afford delays, as even short windows of exposure could result in significant breaches and operational disruption.
Recommended Cyber Technology News :
- Cisco Patches Severe IMC and SSM Security Vulnerabilities
- CrewAI Vulnerabilities Enable Sandbox Bypass Attacks
- Grafana Vulnerabilities Enable Remote Code Execution
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
