Fortinet has patched a critical security vulnerability in its FortiClientEMS (Enterprise Management Server) product, tracked as CVE-2026-35616, which carries a CVSS score of 9.1. The flaw allows a remote, unauthenticated attacker to bypass API authentication and execute arbitrary code using specially crafted HTTP requests. Security researchers from Defused and Nguyen Duc Anh were credited with the initial discovery, and public proof-of-concept exploit code has already been published on GitHub — making active exploitation a near-certainty for all unpatched systems.
How the Vulnerability Works
CVE-2026-35616 is classified as an Improper Access Control vulnerability (CWE-284), a category that has repeatedly plagued enterprise network security products. The flaw resides in the authentication layer of the FortiClientEMS REST API, where certain endpoints fail to enforce authentication checks correctly. An attacker who sends a specially crafted request to these endpoints can gain administrative-level access without providing valid credentials and without requiring any user interaction on the victim side.
This type of pre-authentication remote code execution vulnerability is particularly dangerous because it demands no existing foothold in the network. Threat actors can scan the internet for exposed FortiClientEMS instances and immediately exploit them to compromise enterprise environments at scale.
Active Exploitation and CISA Response
What makes CVE-2026-35616 especially urgent is that active exploitation in the wild has already been confirmed. A public proof-of-concept exploit appeared on GitHub as early as April 6, 2026, dramatically lowering the barrier for less sophisticated threat actors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch agencies apply patches without delay.
This marks the second actively exploited FortiClientEMS vulnerability in recent weeks. CVE-2026-21643, another authentication bypass flaw in the same product, was leveraged in the wild just weeks prior — a clear signal that threat actors are actively and systematically hunting for weaknesses in Fortinet endpoint management infrastructure.
Affected Versions and Available Patches
According to Fortinet’s security advisory, the following versions are affected:
- FortiClientEMS 7.4.5 through 7.4.6 — vulnerable, requiring immediate patching
- FortiClientEMS 7.2.x — not affected by this specific vulnerability
Fortinet has released hotfixes for versions 7.4.5 and 7.4.6, with version 7.4.7 slated for general availability shortly. Organizations running any affected build are strongly advised to apply the hotfixes immediately, without waiting for the full version upgrade cycle.
Risk and Business Impact
FortiClientEMS is widely deployed in corporate environments as the central management platform for Fortinet’s endpoint security clients. A compromise of the EMS server can give attackers control over all managed endpoints, enabling them to push malicious configurations, disable security controls across the entire fleet, harvest credentials from thousands of machines, and move laterally through networks undetected. In large organizations where FortiClientEMS oversees hundreds or thousands of endpoints, the blast radius from a successful exploit could be catastrophic.
The combination of a 9.1 CVSS score, public PoC availability, and confirmed in-the-wild exploitation puts this vulnerability among the most dangerous actively targeted flaws of 2026. Security teams should not treat this as a routine patch — it warrants emergency response procedures.
Recommended Immediate Actions
Security teams using FortiClientEMS should act on the following steps without delay:
- Apply the available hotfix for FortiClientEMS 7.4.5 and 7.4.6 as an emergency priority
- Audit firewall rules to confirm the EMS management interface is not exposed to the public internet
- Review API access logs for unauthenticated or anomalous requests targeting administrative endpoints
- Check for indicators of compromise: newly created admin accounts, unexpected configuration changes, or anomalous outbound connections from the EMS server
- Isolate the EMS server in a restricted network segment if immediate patching is not feasible
- Upgrade to FortiClientEMS 7.4.7 when available for the permanent fix
A Persistent Pattern of Fortinet Targeting
Fortinet products have been a consistent and highly attractive target for threat actors, including sophisticated nation-state groups, over the past two years. From FortiOS SSL-VPN vulnerabilities to FortiManager flaws exploited by China-linked groups, the pattern of sustained targeting is well-established. CVE-2026-35616 is the latest chapter in this ongoing story, and it reinforces the critical need for organizations to maintain rigorous, proactive patch management practices for all Fortinet products — not just perimeter-facing gateways.
As CISA’s addition of this flaw to the KEV catalog underscores, CVE-2026-35616 is not a theoretical risk — it is an active, ongoing threat requiring emergency action from every organization running a vulnerable version of FortiClientEMS.