Fortinet has disclosed a critical-severity vulnerability in its FortiClient Endpoint Management Server (EMS) that could allow unauthenticated remote attackers to execute arbitrary code or commands on affected systems.
Tracked as CVE-2026-35616 and assigned a CVSSv3 score of 9.1, the flaw has been confirmed as exploited in the wild, making immediate patching an urgent priority for enterprise security teams.
The advisory, published on April 4, 2026, under Fortinet’s internal reference FG-IR-26-099, affects FortiClientEMS versions 7.4.5 through 7.4.6. Fortinet has already released hotfixes for both affected versions and has urged all vulnerable customers to apply them without delay.
Overview
FortiClient EMS is a centralized endpoint management platform used by organizations to manage and enforce security policies across endpoints running Fortinet’s FortiClient software.
It is widely deployed across enterprise environments, making it a high-value target for threat actors seeking initial access or lateral movement capabilities.
The newly disclosed vulnerability stems from an Improper Access Control flaw (CWE-284) in the EMS API component. Because the flaw resides in the API layer and requires no authentication, attackers can exploit it remotely without needing valid credentials, a user account, or any prior foothold inside the target network.
The attack complexity is rated Low, and no user interaction is required, allowing full automation of exploitation.
Fortinet confirmed that it has observed active exploitation of this vulnerability in the wild, significantly increasing the risk. Organizations running affected versions should treat this as an emergency remediation item.
Technical Details
At its core, CVE-2026-35616 stems from improper access control (CWE-284) in FortiClientEMS’s API subsystem. The flaw allows crafted HTTP requests to bypass authentication and authorization checks that should restrict access to sensitive API endpoints.
When exploited successfully, an attacker can execute unauthorized code or operating system commands on the EMS server. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms the full impact across all three security pillars:
- Confidentiality (High): Attackers can access sensitive endpoint telemetry, policy configurations, user data, and network topology information stored within EMS.
- Integrity (High): Malicious actors can modify endpoint management policies, push unauthorized configurations to connected endpoints, or tamper with security controls.
- Availability (High): The server and its managed endpoint ecosystem can be disrupted or taken offline entirely.
The impact classification is Escalation of Privilege, meaning a successful attack can grant an unauthenticated user administrative-level control over the EMS platform and potentially the endpoints it manages.
Given that EMS acts as a management plane for security tools deployed across an organization, this type of access could have cascading consequences, including disabling endpoint protection on thousands of managed devices.
The vulnerability was discovered externally and responsibly disclosed by Simo Kohonen of Defused and Nguyen Duc Anh, both of whom Fortinet has officially acknowledged for their responsible disclosure.
Affected Versions
Only the FortiClientEMS 7.4 branch is affected by this vulnerability. The 7.2 branch has been confirmed as not affected.
| Product | Affected Versions | Status |
|---|---|---|
| FortiClientEMS 7.4 | 7.4.5 through 7.4.6 | Vulnerable Patch Available |
| FortiClientEMS 7.2 | All versions | Not Affected |
Organizations should audit their EMS deployments immediately to identify any instances running version 7.4.5 or 7.4.6. Given that EMS is often deployed as a central management server, even a single unpatched instance can expose the entire endpoint fleet to risk.
Patched Versions
Fortinet has made hotfixes available for both affected versions. These hotfixes fully mitigate the vulnerability and are recommended for immediate deployment while organizations wait for the upcoming full release.
The permanent fix will be included in FortiClientEMS 7.4.7, which is currently in development. Fortinet has confirmed that upgrading to 7.4.7 or above will resolve the issue entirely once the release is available. In the meantime, applying the hotfix is the recommended and fully effective course of action.
Mitigation Steps
Security teams should take the following immediate actions:
- Identify affected instances – Audit all FortiClientEMS deployments and confirm which versions are running across your environment.
- Apply the hotfix immediately: Install the hotfix for your version (7.4.5 or 7.4.6) using the official Fortinet documentation links above.
- Restrict EMS API exposure – Where possible, limit network access to the FortiClientEMS server using firewall rules, ensuring the API is not reachable from untrusted networks or the public internet.
- Monitor for indicators of compromise: review EMS logs for unusual or unauthorized API calls, unexpected configuration changes, or anomalous endpoint policy modifications that may indicate prior exploitation.
- Plan for 7.4.7 upgrade – Track the release of FortiClientEMS 7.4.7 and schedule an upgrade as part of your standard patch cycle once it becomes available.
Frequently Asked Questions
Q1: Is CVE-2026-35616 being actively exploited right now?
Yes. Fortinet has confirmed that this vulnerability has been observed being exploited in the wild. Although the “Known Exploited” field in the advisory currently lists “No,” indicating it has not yet been formally added to catalogs like CISA’s KEV, FortiNet’s own statement explicitly acknowledges active exploitation, making this a critical priority for immediate remediation.
Q2: Does applying the hotfix fully protect against this vulnerability, or do I need to wait for version 7.4.7?
Applying the hotfix for FortiClientEMS 7.4.5 or 7.4.6 is sufficient to prevent exploitation of this vulnerability fully. Fortinet has explicitly stated that the hotfix “is sufficient to prevent it entirely.” The upcoming 7.4.7 release will incorporate the same fix as a permanent part of the codebase, but organizations do not need to wait for it to be protected.
Site: thecybrdef.com
About the Author
