Over 2,000 FortiClient EMS Servers Exposed Online Amid Active RCE Exploits
The Shadowserver Foundation has recently identified over 2,000 instances of Fortinet’s FortiClient Enterprise Management Server (EMS) exposed to the public internet. Alarmingly, two of these instances have been confirmed as actively exploited through critical unauthenticated remote code execution (RCE) vulnerabilities, specifically CVE-2026-35616 and CVE-2026-21643.
Understanding the Vulnerabilities
CVE-2026-35616 and CVE-2026-21643 are both classified as unauthenticated RCE vulnerabilities. This classification indicates that attackers can remotely execute arbitrary code on vulnerable servers without requiring authentication credentials. Such vulnerabilities are particularly severe because they allow threat actors to gain full control over affected systems, potentially compromising the entire network infrastructure managed by the EMS.
Scope of Exposure
The Shadowserver Foundation’s global sensor network has detected approximately 2,000 FortiClient EMS instances accessible via the public internet. The highest concentrations of these exposed instances are in the United States and Germany. Given that FortiClient EMS is a centralized solution for managing Fortinet VPN clients and security policies across large organizations, this widespread exposure poses significant risks.
A compromised EMS server could enable attackers to manipulate endpoint configurations, deploy malicious policy updates, harvest VPN credentials, and establish persistent access across an organization’s entire endpoint fleet.
Historical Context and Ongoing Threats
This recent discovery aligns with a broader trend of threat actors targeting Fortinet infrastructure. Fortinet products have frequently appeared in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Both nation-state groups and ransomware operators have historically prioritized Fortinet vulnerabilities to gain initial access into enterprise environments.
Recommended Mitigation Measures
Organizations utilizing FortiClient EMS should take immediate action to mitigate these risks:
1. Apply Security Patches: Fortinet has released patches addressing CVE-2026-35616 and CVE-2026-21643. Organizations should apply these updates without delay to secure their systems.
2. Restrict Access: Limit internet-facing access to the EMS management interface by implementing firewall rules or requiring VPN access.
3. Monitor Logs: Regularly review system logs for signs of anomalous activity, unauthorized configuration changes, or unexpected outbound connections.
4. Stay Informed: Utilize resources like the Shadowserver Foundation’s dashboard to monitor exposure intelligence related to your network ranges.
5. Enable Threat Detection: Configure your Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) platforms to alert on indicators associated with these vulnerabilities.
Fortinet has urged customers to consult its official security advisories and upgrade to patched firmware versions immediately. Given the confirmed active exploitation of these vulnerabilities, prompt remediation is essential to protect organizational assets.
