Fortinet disclosed today that a critical zero-day vulnerability in FortiClient Endpoint Management Server (EMS) is under active exploitation. Tracked as CVE-2026-35616 with a CVSS score of 9.1, the flaw allows unauthenticated attackers to bypass API authentication and authorization controls, leading to arbitrary code execution on affected servers.
Emergency hotfixes are available now. If you run FortiClient EMS 7.4.5 or 7.4.6, stop reading and go patch.
What Happened
Fortinet’s PSIRT published advisory FG-IR-26-099 confirming that attackers are actively exploiting CVE-2026-35616 in the wild. A public proof-of-concept exploit has appeared on GitHub, which means the window for opportunistic exploitation is wide open.
The vulnerability is classified as an Improper Access Control issue (CWE-284) in the FortiClient EMS API layer. An unauthenticated attacker can send crafted HTTP requests that bypass both authentication and authorization checks entirely. Once past those controls, the attacker gains the ability to execute arbitrary code or commands directly on the EMS server.
FortiClient EMS is the centralized management platform that enterprises use to deploy, configure, and monitor FortiClient endpoints across their fleet. Compromising the EMS server gives an attacker a privileged position to pivot across the managed endpoint population — it is, effectively, a keys-to-the-kingdom target for any Fortinet shop.
Technical Details
- CVE: CVE-2026-35616
- CVSS: 9.1 (Critical)
- CWE: CWE-284 — Improper Access Control
- Type: API authentication and authorization bypass → remote code execution
- Attack vector: Network, no authentication required
- Affected versions: FortiClient EMS 7.4.5 and 7.4.6
- Not affected: FortiClient EMS 7.2.x branch
- Advisory: FG-IR-26-099
The attack surface is the EMS management API. No user interaction or special privileges are required. The crafted requests bypass the API’s authentication layer entirely, meaning there is no credential brute-forcing or session hijacking involved — the auth check simply does not apply to the malicious request path.
Context: FortiClient EMS Has Been a Magnet
This is the second critical FortiClient EMS vulnerability to face active exploitation in quick succession. Just last week, CVE-2026-21643 — a separate critical flaw also in FortiClient EMS — was reported under exploitation. Fortinet appliances have been a consistent target for advanced threat actors throughout 2025 and 2026, with multiple authentication bypass and RCE vulnerabilities being chained in real-world campaigns against enterprise perimeters.
The pattern is clear: if you run Fortinet edge infrastructure, you need an aggressive patch cycle and should assume that any delay in applying critical fixes will be exploited.
Impact Assessment
Who is affected: Any organization running FortiClient EMS 7.4.5 or 7.4.6 with the management interface reachable over the network. This is a centralized management server — it is typically accessible from internal networks and in some deployments exposed to the internet.
How bad: Critical. Unauthenticated RCE on an endpoint management server means an attacker can potentially push configurations, deploy payloads, or harvest credentials across every managed endpoint. The public PoC makes mass exploitation likely.
Who is not affected: Organizations on the FortiClient EMS 7.2.x branch are not impacted by this specific CVE.
Mitigation
Immediate actions:
- Apply the emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6, available now from Fortinet. The company states the hotfix is sufficient to prevent exploitation entirely.
- Restrict network access to the EMS management API. If it does not need to be reachable from untrusted networks, firewall it off immediately.
- Check for indicators of compromise. Review EMS server logs for unusual API requests, unexpected process execution, or new scheduled tasks. Given active exploitation, assume compromise is possible if you were running affected versions without the hotfix.
- Plan your upgrade to 7.4.7, which will include the fix in the standard release when it ships.
Detection guidance: Monitor for anomalous HTTP requests to the FortiClient EMS API, especially unauthenticated requests that result in successful operations. Correlate with any unexpected outbound connections or process launches from the EMS server.
Timeline
| Date | Event |
|---|---|
| 2026-04-04 | Fortinet publishes FG-IR-26-099, confirms active exploitation |
| 2026-04-04 | Emergency hotfixes released for 7.4.5 and 7.4.6 |
| 2026-04-04 | Public PoC appears on GitHub |
| TBD | FortiClient EMS 7.4.7 release with integrated fix |