There are two serious unauthenticated RCE vulnerabilities in Fortinet FortiClient EMS CVE-2026-35616 and CVE-2026-21643.And more than 2,000 servers that are exposed to the internet.Full technical detail attack timeline and emergency patch guide.
What is FortiClient EMS and Why It’s a Prime Target for Cyber Attacks
First its important to understand exactly what FortiClient EMS (Endpoint Management Server) does within an organization or the severity of this breach will be difficult to grasp. This is not ordinary software. Its a centralized management platform that allows IT administrators to control every employee device across their company from one place, including antivirus settings, web filtering rules, VPN configurations, and secure remote access policies.
This means that if an attacker compromises a FortiClient EMS server and they don’t just gain access to a single machine they gain access to the master control room from which the entire organizations security is managed. From there it becomes possible to push malware, disable security software or deploy devastating ransomware on thousands of devices with a single command.
Two Vulnerabilities Identified in One Platform With CVSS 9.1 Impact
This emergency is marked by two different vulnerabilities. CVE-2026-21643 was discovered first it is a SQL injection flaw. Means the web-based management interface of FortiClient EMS did not properly sanitize incoming HTTP requests. Attackers hid malicious SQL commands within the Site header of HTTP requests and these went straight to the backend database.
CVE-2026-35616 was discovered a few days later it is an improper access control flaw in which API level authentication and authorization can be bypassed. Send a specially crafted request and you are directly inside the server, without any username or password. Both vulnerabilities have a CVSS score of 9.1, which falls into the Critical category. Both are unauthenticated, both are remote and both are now being actively exploited in the outdoor.
Exploitation Timeline When Even CISA Was Too Late to Respond
The fact that the exploitation started before the governments official known exploited lists were updated is what makes this event so scary.Threat intelligence firm Defused Cyber warned on March 30, 2026, that CVE-2026-21643 was marked not exploited on CISA’s KEV list but according to their own data and exploitation had begun 4 days earlier.
This means that the gap during which security teams wait for official alerts had already closed. On March 31, WatchTowers honeypots recorded the first attacks against CVE-2026-35616. On April 5, Fortinet released an emergency weekend patch on a Saturday, outside of the regular maintenance schedule which in itself was proof that the situation could not wait for any normal patch cycle.
Shadowserver Warns of 2,000+ Publicly Exposed Systems at Risk
On April 5 and 6, 2026, the Shadowserver Foundation a nonprofit security research organization and updated its public tracking data. According to Internet scanning, more than 2,000 FortiClient EMS servers worldwide are directly accessible over the public Internet. The highest concentration is in the United States and Germany.
These are just the servers Shadowserver could detect; the actual number could be higher. Having these 2,000 servers on the Internet is itself a serious misconfiguration and if active exploits are running while doing so it becomes an immediate operational emergency. Shadowserver has fingerprinted these servers and their public dashboard is updated live.
Minimal Effort And Maximum Impact Exploitation with Just One Request
It’s important to understand with technical depth how easy it actually is to exploit. In the case of CVE-2026-21643 the attacker simply needs to create a malformed HTTP request containing a SQL injection payload in the Site header. The server doesn’t validate this input and passes it directly to a backend database query.
In CVE-2026-35616 the attacker bypasses the API authentication layer the gatekeeper that checks identities can be tricked with a specially crafted request. In both cases, the attacker needs no leaked credentials no phishing campaign and no insider access. Just internet connectivity and a crafted HTTP request are enough for a complete server takeover.
Fortinet’s History of Vulnerabilities Repeating Security Challenges
It would be wrong to consider this incident an isolated incident. CISA has officially flagged 24 separate Fortinet vulnerabilities as actively exploited, 13 of which have been directly used in ransomware attacks. Two years ago, in March 2024 another FortiClient EMS SQL injection vulnerability was used by the Chinese state-sponsored hacking group Salt Typhoon to breach telecommunications companies in the United States.
In February of the same year Fortinet was forced to block FortiCloud SSO connections in response to CVE-2026-24858 zero-day attacks. The pattern suggests that Fortinet products especially internet-facing management interfaces are consistently on the radar of sophisticated attackers. Being a cornerstone of enterprise security, it is a high-value target.
Is a Single Threat Actor Exploiting Both Vulnerabilities?
This question is still before investigators, and the answer has not yet been made public. The Hacker News reported that it is currently not known if the same threat actor is behind the exploitation of both flaws, and if they are being weaponized together.
If both vulnerabilities are used together and it could be even more dangerous initial access through an SQL injection and then privilege escalation through API bypass together could form a complete server takeover chain. Researchers are actively monitoring whether both CVEs are being exploited together in a chain or whether different threat actors are using different flaws.
The Security Industrys Shrinking Window Problem Explained
This incident highlights a broader and growing problem in the cybersecurity known as the shrinking window. The time between discovery and exploitation is rapidly closing. Previously, this window occurred in a matter of hoursresearchers discovered a vulnerability, details were published,attackers developed an exploit and organizations applied a patch.
Now this window has shrunk to hours or even days. In the case of CVE-2026-21643 Bishop Fox published a detailed technical analysis on March 27 that confirmed the exploitation on March 30 or just three days. This speed means that organizations can no longer operate with a scheduled maintenance approach. An emergency response must be initiated immediately after a vulnerability is disclosed.
Step-by-Step Emergency Guide What to Do Immediately
If your organization uses FortiClient EMS, these steps should be completed by tonight. First, check Fortinet’s official advisory and immediately install the hotfix for FortiClient EMS 7.4.5 or 7.4.6 or upgrade to version 7.4.7 when it becomes available. The second step is to audit your firewall rules and confirm that the EMS management interface is not directly accessible from the public internet if so disable it immediately.
Allow administrative access only via VPN or a trusted internal network. The third step is to look for anomalous activity in the EMS server logsunusual outbound connections, unauthorized configuration changes or unexpected processes. The fourth step is to add the IP address ranges and domain names that Difused and WatchTower have published as indicators of compromise to your SIEM or EDR.
Conclusion
The most important lesson from this incident isn’t that Fortinet had a vulnerability. Enterprise software always has vulnerabilities, and that’s a reality. The real issue is that more than 2,000 organizations had their central security management servers directly exposed to the public internet without any VPN or access restriction.
Keeping the security tools themselves secure and properly shielding them from the internet is the organization’s responsibility, not the vendors. FortiClient EMS was designed for internal network management, not to be exposed to the public internet. This misconfiguration combined with a critical vulnerability and the result is what 2,000 organizations are facing today. The lesson is not to just patch the lesson is to minimize your attack surface and especially those tools that control your entire security.
