CVE-2026-35616

What is FortiClient EMS?

Fortinet FortiClient Enterprise Management Server (EMS) is a centralized management platform for the FortiClient endpoint security agent. Organizations deploy it to manage FortiClient installations across their entire fleet of Windows, macOS, Linux, and mobile endpoints from a single server.

Key functions include:

• Endpoint policy management — centrally deploy and enforce security policies (firewall rules, web filtering, application control, antivirus settings) across all managed devices
• VPN configuration — distribute and manage SSL-VPN and IPsec VPN profiles so endpoints can connect securely to corporate networks
• Zero Trust Network Access (ZTNA) — enforce posture-based access controls, verifying that endpoints meet compliance requirements before granting network access
• Endpoint visibility — provide real-time status of endpoint security posture, patch levels, and compliance across the organization
• Fortinet Security Fabric integration — share endpoint telemetry with other Fortinet products (FortiGate, FortiAnalyzer) for coordinated threat response

EMS is typically deployed on-premises as a Windows Server application and is directly accessible by all managed endpoints. Because it controls security policy across every managed device, a compromise of EMS gives an attacker a privileged position to weaken endpoint defenses, redistribute malicious configurations, or use the management channel for lateral movement — making it a high-value target.

Overview

Fortinet FortiClient Enterprise Management Server (EMS) contains an improper access control vulnerability (CWE-284) in its API layer that allows an unauthenticated remote attacker to execute arbitrary code and commands on the affected server. The vulnerability was exploited in the wild as a zero-day before Fortinet's public disclosure on April 4, 2026.

The extremely short CISA BOD 22-01 remediation window — three days from KEV listing to deadline — reflects the severity of active exploitation and the risk posed to federal networks. Exploitation activity was first detected on March 31, 2026 — Easter weekend — a timing that appears deliberate, targeting the reduced security team capacity typical of holiday periods.

Affected Versions

Fix: Upgrade to FortiClientEMS 7.4.7 (full patch). For installations that cannot upgrade immediately, Fortinet released emergency out-of-band hotfixes for 7.4.5 and 7.4.6 available via the Fortinet documentation portal release notes for each version.

Technical Details

The vulnerability is a pre-authentication API access bypass. API endpoints in FortiClientEMS fail to enforce authentication and authorization checks, allowing any network-reachable attacker to send crafted HTTP requests to unprotected endpoints and trigger arbitrary code execution with the privileges of the EMS service.

Attack characteristics:

• No credentials, session tokens, or prior access required
• Exploitable directly from the internet against any exposed EMS management interface
• Single crafted HTTP request sufficient to achieve RCE

CWE-284 (Improper Access Control): The application fails to restrict access to security-sensitive operations. Authentication checks are absent on endpoints that execute privileged server-side actions, allowing unauthenticated callers to trigger privileged operations.

Discovery

CVE-2026-35616 was discovered by Simo Kohonen (Defused Cyber) and Nguyen Duc Anh, who observed active zero-day exploitation before reporting to Fortinet. Defused Cyber and watchTowr independently documented in-the-wild exploitation; watchTowr's honeypot sensors first recorded attack traffic on March 31, 2026 — five days before Fortinet's public advisory.

The same research team previously discovered CVE-2026-21643 (CVSS 9.1), a separate critical FortiClient EMS flaw involving SQL injection via the Site HTTP header. CVE-2026-21643 was also actively exploited and patched in the weeks prior to this vulnerability, underscoring the sustained research focus on FortiClient EMS attack surface.

Exploitation Context

At the time of KEV listing, the Shadowserver Foundation identified over 2,000 publicly accessible FortiClientEMS instances worldwide, with the largest concentrations in the United States and Germany. Active exploitation was confirmed, with at least two instances sustaining successful RCE compromises.

Exploitation began over Easter weekend — a period when enterprise security operations teams typically run at reduced staffing. This timing, combined with the pre-existing public availability of technical details from the related CVE-2026-21643, suggests opportunistic threat actors were prepared to move quickly once the vulnerability was disclosed.

Fortinet products are a sustained focus for threat actors. At the time of this CVE's KEV listing, 24 Fortinet CVEs appeared on the CISA KEV catalog, reflecting systematic targeting of Fortinet infrastructure in both enterprise and government environments.

Remediation

1. Patch immediately — upgrade to FortiClientEMS 7.4.7 or apply the vendor emergency hotfix for your installed version (hotfix release notes available at docs.fortinet.com for versions 7.4.5 and 7.4.6)
2. Restrict network access — if patching is delayed, block all inbound access to the EMS management interface (TCP 443, 8013, 10443) from untrusted networks using firewall ACLs
3. Do not expose EMS to the internet — the management interface should never be internet-facing; route access through VPN or a bastion host
4. Audit for compromise — review EMS API logs for unexpected unauthenticated requests, unauthorized account creation, or unusual process execution originating from the EMS service account; also check for lateral movement indicators given EMS has broad visibility into managed endpoints
5. Assess CVE-2026-21643 exposure — if running a version affected by the related SQL injection flaw, ensure that patch has also been applied
6. Discontinue use if patching and network isolation cannot be achieved before the BOD 22-01 deadline

There are no full workarounds. Network segmentation reduces exposure but does not eliminate the vulnerability if EMS is reachable from any untrusted host.