SecurityThree unrelated but simultaneously exploited vulnerabilities surfaced this week, each targeting a different layer of the enterprise stack. Together they represent a compressed window of risk for organizations running any combination of Fortinet endpoint management, Adobe document tooling, or nginx-ui for web server administration.
FortiClient EMS: Unauthenticated RCE via Improper Access Control (CVE-2026-35616, CVSS 9.1)
Fortinet issued out-of-band patches for a critical flaw in FortiClient Enterprise Management Server. The vulnerability allows an unauthenticated attacker to execute arbitrary code or commands through crafted requests. Active exploitation is confirmed.
FortiClient EMS is a centralized management console; compromising it gives an attacker control over every endpoint the server manages. This follows a pattern: Fortinet management plane vulnerabilities (FortiManager in October 2024, FortiOS in early 2025) have become a preferred entry point for threat actors targeting enterprise perimeters.
Action: Patch immediately. If patching requires a maintenance window, restrict network access to the EMS console to authorized management VLANs only.
Adobe Acrobat Reader: Zero-Day Under Active Exploitation (CVE-2026-34621, CVSS 8.6)
Adobe released emergency patches for a critical Acrobat Reader vulnerability with evidence suggesting exploitation may have started as early as December 2025. That timeline, over four months of potential pre-patch exploitation, significantly widens the exposure window.
PDF-based initial access remains one of the most reliable delivery mechanisms in targeted campaigns. A zero-day in the most widely deployed PDF reader is a high-confidence phishing enabler.
Action: Deploy Adobe’s emergency update across all endpoints. Review email gateway logs for suspicious PDF attachments dating back to December 2025.
nginx-ui: Authentication Bypass to Full Server Takeover (CVE-2026-33032, CVSS 9.8)
A CVSS 9.8 authentication bypass in nginx-ui allows complete takeover of the Nginx service. The flaw was among the top 31 vulnerabilities exploited in the wild tracked by Recorded Future this cycle.
nginx-ui is popular in smaller environments and dev/staging infrastructure where it often runs with broader permissions than production-hardened alternatives. Attackers gaining full Nginx control can redirect traffic, inject content, or pivot into backend services.
Action: Update nginx-ui immediately or remove it from internet-facing infrastructure. Audit whether any instances are running in production environments where they were only intended for staging.
Pattern Worth Noting
Two of these three targets (FortiClient EMS, nginx-ui) are management interfaces rather than the services they manage. Attackers continue to prioritize the control plane over the data plane: one compromised management console yields access to everything it administers. Organizations should audit which management interfaces are network-accessible and whether that access is appropriately restricted.