• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

Patch Now! CVE-2026-35616 and CVE-2026-21643: Fortinet EMS Actively Exploited

Blog

Fortinet FortiClient EMS faces immediate risk from two critical severity CVEs: CVE-2026-35616 in versions 7.4.5-7.4.6 and CVE-2026-21643 in 7.4.4. CVE-2026-35616 (CVSS 9.8) is an actively exploited vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) 7.4.5 through 7.4.6, published on April 4, 2026. The flaw is an improper access control [CWE-284] that can be exploited for unauthenticated remote code execution (RCE). An attacker exploiting CVE-2026-35616 may execute unauthorized code or commands through maliciously crafted HTTP requests. Because it was disclosed over the holidays, only a few national CERT alerts have so far been issued for CVE-2026-35616 [1][2]. CVE-2026-21643 is the second actively exploited flaw identified in Fortinet FortiClient EMS in recent weeks. Defused Cyber recently detected campaigns attacking CVE-2026-21643 (CVSS 9.8), also affecting Fortinet FortiClient EMS.

Greenbone’s OPENVAS ENTERPRISE FEED includes separate remote banner checks for CVE-2026-35616 [3] and CVE-2026-21643 [4] and provides a dedicated family of tests for Fortinet vulnerabilities, allowing defenders to mitigate actively evolving threats.

CVE-2026-35616 and CVE-2026-21643: Fortinet EMS Actively Exploited

Critical Fortinet Vulnerabilities

FortiClient EMS is Fortinet’s central management server for deploying, configuring, updating, and monitoring FortiClient enabled endpoints across enterprise environments. In security operations, FortiClient EMS helps enforce endpoint security policies, maintain visibility into device posture and compliance, and coordinate endpoint controls with the broader Fortinet ecosystem.

→

Start Your Free Trial

With continuously updated vulnerability detection, risk-prioritization intelligence, and scalable operations, OPENVAS SCAN helps organizations strengthen their cybersecurity posture by reducing exposure to known threats across IT environments.

Start evaluating Greenbone’s flagship product, OPENVAS SCAN. Our entry-level enterprise appliance, OPENVAS BASIC, is available for free and includes a two-week trial of the OPENVAS ENTERPRISE FEED.

 

Risk Assessment for CVE-2026-35616

Active exploitation of CVE-2026-21643 (CVSS 9.8) was acknowledged in Fortinet’s security advisory (FG-IR-26-099) on April 4th. Defused Cyber is credited with detection of zero-day active attacks and responsible disclosure to the vendor. Watchtowr Labs has also reported detecting attacks since March 31, 2026. CVE-2026-35616 was added to CISA’s KEV catalog on April 6th and an aggressive patch deadline of April 9th was set for U.S. federal agencies.

No specific technical analysis, proof-of-concept (PoC) exploit, or attack campaign details are publicly available for CVE-2026-35616. The risk is elevated because the CVE was exploited as a zero-day, showing that adversaries have already developed exploit tooling. The Shadowserver dashboard indicates ~2,000 exposed FortiClient EMS instances remain reachable on the internet; however, this may include honeypot devices.

Risk Assessment for CVE-2026-21643

CVE-2026-21643 (CVSS 9.8) introduced during Fortinet’s refactor of the database connection layer in version 7.4.4, and quickly patched in version 7.4.5. In recent weeks, Defused Cyber reported campaigns attacking CVE-2026-21643, which also affects Fortinet FortiClient EMS. Covered briefly in our March 2026 Threat Report, CVE-2026-21643 is an SQL injection flaw [CWE-89] potentially leading to unauthenticated RCE via specifically crafted HTTP requests. Numerous national CERT alerts have been issued [5][6][7][8][9][10][11][12][13][14][15][16][17]. CVE-2026-21643 has not yet been added to CISA’s KEV list.

A technical root-cause analysis for CVE-2026-21643 has been published enabling rapid exploit development.  According to the analysis, exploitability depends on the multitenancy feature being enabled via the SITES_ENABLED=True configuration. If multitenancy is disabled, the middleware vdom is hardcoded and does not read the attacker-controlled Site header. The vulnerable path remains present but effectively unreachable.

Mitigating CVE-2026-35616 and CVE-2026-21643 in Fortinet FortiClient EMS

Fortinet’s advisory states that only FortiClient EMS 7.4.5 through 7.4.6 are affected; FortiClient EMS 7.2 is not affected. The immediate mitigation for CVE-2026-35616 is to apply the appropriate emergency hotfix listed in Fortinet’s official advisory for FortiClient EMS 7.4.5 or 7.4.6. Applying the hotfix does not require system downtime.

While CVE-2026-35616 affects versions 7.4.5 through 7.4.6, CVE-2026-21643 affects the earlier 7.4.4 and is mitigated by upgrading to 7.4.5 or later. Instances on earlier versions should first upgrade to at least 7.4.5 and then apply the appropriate hotfix.

According to Fortinet, FortiClientEMS version 7.4.7 will also include the fix for this issue when it is released. Greenbone’s OPENVAS ENTERPRISE FEED includes separate remote banner checks for CVE-2026-35616 [3] and CVE-2026-21643 [4] and provides a dedicated family of tests for Fortinet vulnerabilities, allowing defenders to detect and mitigate actively evolving threats.

Summary

Fortinet FortiClient EMS faces immediate risk from two critical, actively exploited vulnerabilities: CVE-2026-35616 in versions 7.4.5-7.4.6 and CVE-2026-21643 in version 7.4.4. Organizations should urgently identify exposed EMS servers, upgrade affected installations, and apply Fortinet’s emergency hotfixes without delay. Greenbone’s OPENVAS ENTERPRISE FEED can help defenders detect vulnerable systems and prioritize remediation.

Contact Test Now Buy Here Back to Overview
Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

8. April 2026/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-04-08 15:46:232026-04-08 15:48:05Patch Now! CVE-2026-35616 and CVE-2026-21643: Fortinet EMS Actively Exploited

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: March 2026 Threat Report: New Critical Risks Span the Enterprise Attack Surface Link to: March 2026 Threat Report: New Critical Risks Span the Enterprise Attack Surface March 2026 Threat Report: New Critical Risks Span the Enterprise Attack Sur... Link to: Patch Now! Critical-Severity Flaws in Cisco SSM On-Prem and IMC, Plus More Link to: Patch Now! Critical-Severity Flaws in Cisco SSM On-Prem and IMC, Plus More Patch Now! Critical-Severity Flaws in Cisco SSM On-Prem and IMC, Plus More
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn