blK qG

2,000+ FortiClient EMS Instances Exposed Online as Attackers Exploit Active RCE Flaw

Cybersecurity researchers have issued an urgent warning for organizations using Fortinet’s FortiClient Enterprise Management Server (EMS).

Over 2,000 instances of this critical administrative tool are currently exposed to the public internet. Threat actors are actively exploiting severe vulnerabilities to take full control of these systems.

These security gaps are tracked as CVE-2026-35616 and CVE-2026-21643, both classified as unauthenticated Remote Code Execution (RCE) vulnerabilities. This means attackers do not need credentials to break in; simply sending a crafted request over the internet to a vulnerable FortiClient EMS server allows hackers to run malicious commands and take over the underlying operating system.

The Shadowserver Foundation, a leading nonprofit security research group, recently detected active, in-the-wild exploitation of these critical flaws.

Global Exposure Data

According to Shadowserver’s public tracking dashboard, thousands of organizations have mistakenly left their FortiClient EMS servers directly accessible from the outside world.

Their internet scanning data reveals approximately 2,000 servers are currently visible and at risk globally. The exposure is geographically widespread, with the United States and Germany holding the highest concentrations of vulnerable instances.

Leaving a central management server exposed to the public internet is dangerous on its own, especially with active exploits circulating, creating a critical emergency for IT teams.

FortiClient EMS is a centralized tool designed to manage endpoint security across an entire corporate network, handling antivirus settings, web filtering rules, and secure remote access policies for employee devices.

If cybercriminals compromise an EMS server, they gain a powerful, trusted foothold into the broader corporate environment. Attackers can push malware, disable security software on user laptops, or deploy ransomware across the organization using this centralized management capability.

Because employee devices inherently trust instructions from the EMS server, malicious commands execute without triggering typical security alarms.

Organizations utilizing Fortinet’s EMS must act swiftly to secure their infrastructure before threat actors locate their exposed systems.

The most critical step is applying the latest security patches from Fortinet to eliminate CVE-2026-35616 and CVE-2026-21643.

IT administrators must immediately review firewall and network configurations. Management interfaces for FortiClient EMS should never be exposed directly to the public internet; access must be strictly isolated to trusted internal networks or secured behind a properly configured Virtual Private Network (VPN).

Related Articles

Back to top button