Over 2,000 FortiClient EMS Servers Exposed Online Amid Active RCE Exploits
The Shadowserver Foundation has recently identified over 2,000 instances of Fortinet’s FortiClient Enterprise Management Server (EMS) exposed to the public internet. Alarmingly, two of these instances have been confirmed as actively exploited through critical unauthenticated remote code execution (RCE) vulnerabilities.
The vulnerabilities in question, CVE-2026-35616 and CVE-2026-21643, are both classified as unauthenticated RCE flaws. This classification indicates that attackers can remotely execute arbitrary code on vulnerable servers without requiring authentication credentials. Such vulnerabilities are particularly severe, as they can grant attackers full control over affected systems and the endpoints they manage.
CVE-2026-35616 is a newly disclosed vulnerability, while CVE-2026-21643 has been under scrutiny in recent weeks. Both vulnerabilities have now been confirmed as exploited in the wild, meaning threat actors are actively leveraging them against unpatched deployments.
The scale of exposure is significant. Shadowserver’s global sensor network has fingerprinted approximately 2,000 FortiClient EMS instances exposed to the public internet. The United States and Germany top the list of affected countries, according to Shadowserver’s public dashboard data.
FortiClient EMS is an enterprise endpoint management solution used to centrally manage Fortinet VPN clients and security policies across large organizations. A compromised EMS server could allow attackers to manipulate endpoint configurations, push malicious policy updates, harvest VPN credentials, and establish persistent footholds across an organization’s entire endpoint fleet.
This latest alert is consistent with a broader trend of threat actors targeting Fortinet infrastructure. Fortinet products have repeatedly appeared in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and nation-state groups alongside ransomware operators have historically prioritized Fortinet flaws for initial access into enterprise environments.
Organizations running FortiClient EMS should take the following steps immediately:
– Apply patches released by Fortinet addressing CVE-2026-35616 and CVE-2026-21643 without delay.
– Restrict internet-facing access to the EMS management interface using firewall rules or VPN-gated access.
– Review logs for anomalous activity, unauthorized configuration changes, or unexpected outbound connections.
– Monitor Shadowserver’s dashboard for ongoing exposure intelligence related to your network ranges.
– Enable threat detection alerts through your SIEM or EDR platform for indicators associated with these CVEs.
Fortinet has urged customers to consult its official security advisories and upgrade to patched firmware versions immediately. Given confirmed in-the-wild exploitation, delayed remediation is not an option.
