Patch Now! CVE-2026-35616 and CVE-2026-21643: Fortinet EMS Actively Exploited
Fortinet FortiClient EMS faces immediate risk from two critical severity CVEs: CVE-2026-35616 in versions 7.4.5-7.4.6 and CVE-2026-21643 in 7.4.4. CVE-2026-35616 (CVSS 9.8) is an actively exploited vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) 7.4.5 through 7.4.6, published on April 4, 2026. The flaw is an improper access control [CWE-284] that can be exploited for unauthenticated remote code execution (RCE). An attacker exploiting CVE-2026-35616 may execute unauthorized code or commands through maliciously crafted HTTP requests. Because it was disclosed over the holidays, only a few national CERT alerts have so far been issued for CVE-2026-35616 [1][2]. CVE-2026-21643 is the second actively exploited flaw identified in Fortinet FortiClient EMS in recent weeks. Defused Cyber recently detected campaigns attacking CVE-2026-21643 (CVSS 9.8), also affecting Fortinet FortiClient EMS.
Greenbone’s OPENVAS ENTERPRISE FEED includes separate remote banner checks for CVE-2026-35616 [3] and CVE-2026-21643 [4] and provides a dedicated family of tests for Fortinet vulnerabilities, allowing defenders to mitigate actively evolving threats.
FortiClient EMS is Fortinet’s central management server for deploying, configuring, updating, and monitoring FortiClient enabled endpoints across enterprise environments. In security operations, FortiClient EMS helps enforce endpoint security policies, maintain visibility into device posture and compliance, and coordinate endpoint controls with the broader Fortinet ecosystem.
Start Your Free Trial
With continuously updated vulnerability detection, risk-prioritization intelligence, and scalable operations, OPENVAS SCAN helps organizations strengthen their cybersecurity posture by reducing exposure to known threats across IT environments.
Start evaluating Greenbone’s flagship product, OPENVAS SCAN. Our entry-level enterprise appliance, OPENVAS BASIC, is available for free and includes a two-week trial of the OPENVAS ENTERPRISE FEED.
Risk Assessment for CVE-2026-35616
Active exploitation of CVE-2026-21643 (CVSS 9.8) was acknowledged in Fortinet’s security advisory (FG-IR-26-099) on April 4th. Defused Cyber is credited with detection of zero-day active attacks and responsible disclosure to the vendor. Watchtowr Labs has also reported detecting attacks since March 31, 2026. CVE-2026-35616 was added to CISA’s KEV catalog on April 6th and an aggressive patch deadline of April 9th was set for U.S. federal agencies.
No specific technical analysis, proof-of-concept (PoC) exploit, or attack campaign details are publicly available for CVE-2026-35616. The risk is elevated because the CVE was exploited as a zero-day, showing that adversaries have already developed exploit tooling. The Shadowserver dashboard indicates ~2,000 exposed FortiClient EMS instances remain reachable on the internet; however, this may include honeypot devices.
Risk Assessment for CVE-2026-21643
CVE-2026-21643 (CVSS 9.8) introduced during Fortinet’s refactor of the database connection layer in version 7.4.4, and quickly patched in version 7.4.5. In recent weeks, Defused Cyber reported campaigns attacking CVE-2026-21643, which also affects Fortinet FortiClient EMS. Covered briefly in our March 2026 Threat Report, CVE-2026-21643 is an SQL injection flaw [CWE-89] potentially leading to unauthenticated RCE via specifically crafted HTTP requests. Numerous national CERT alerts have been issued [5][6][7][8][9][10][11][12][13][14][15][16][17]. CVE-2026-21643 has not yet been added to CISA’s KEV list.
A technical root-cause analysis for CVE-2026-21643 has been published enabling rapid exploit development. According to the analysis, exploitability depends on the multitenancy feature being enabled via the SITES_ENABLED=True configuration. If multitenancy is disabled, the middleware vdom is hardcoded and does not read the attacker-controlled Site header. The vulnerable path remains present but effectively unreachable.
Mitigating CVE-2026-35616 and CVE-2026-21643 in Fortinet FortiClient EMS
Fortinet’s advisory states that only FortiClient EMS 7.4.5 through 7.4.6 are affected; FortiClient EMS 7.2 is not affected. The immediate mitigation for CVE-2026-35616 is to apply the appropriate emergency hotfix listed in Fortinet’s official advisory for FortiClient EMS 7.4.5 or 7.4.6. Applying the hotfix does not require system downtime.
While CVE-2026-35616 affects versions 7.4.5 through 7.4.6, CVE-2026-21643 affects the earlier 7.4.4 and is mitigated by upgrading to 7.4.5 or later. Instances on earlier versions should first upgrade to at least 7.4.5 and then apply the appropriate hotfix.
According to Fortinet, FortiClientEMS version 7.4.7 will also include the fix for this issue when it is released. Greenbone’s OPENVAS ENTERPRISE FEED includes separate remote banner checks for CVE-2026-35616 [3] and CVE-2026-21643 [4] and provides a dedicated family of tests for Fortinet vulnerabilities, allowing defenders to detect and mitigate actively evolving threats.
Summary
Fortinet FortiClient EMS faces immediate risk from two critical, actively exploited vulnerabilities: CVE-2026-35616 in versions 7.4.5-7.4.6 and CVE-2026-21643 in version 7.4.4. Organizations should urgently identify exposed EMS servers, upgrade affected installations, and apply Fortinet’s emergency hotfixes without delay. Greenbone’s OPENVAS ENTERPRISE FEED can help defenders detect vulnerable systems and prioritize remediation.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
