A critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild, according to threat intelligence researchers at watchTowr. Tracked as CVE-2026-35616, the flaw was detected by automated attacker-emulation sensors weeks before Fortinet published its official advisory — a troubling sign that threat actors had prior knowledge of the vulnerability.
What Is FortiClient EMS?
FortiClient Enterprise Management Server is a centralized management solution used by organizations to manage Fortinet’s FortiClient endpoint security software across thousands of devices. It acts as the administrative backbone for endpoint visibility, compliance enforcement, and VPN certificate management in enterprise environments. Because of this privileged position in corporate networks, it is a high-value target for attackers seeking to pivot from a single server to widespread endpoint compromise.
Vulnerability Details: CVE-2026-35616
CVE-2026-35616 is a critical SQL injection vulnerability in FortiClient EMS’s web-based management interface. The flaw resides in the device registration endpoint and can be triggered by an unauthenticated remote attacker by sending a specially crafted HTTP request. Successful exploitation allows the attacker to:
- Execute arbitrary SQL commands against the backend database
- Extract sensitive credentials, certificates, and device inventory data
- Achieve remote code execution (RCE) on the EMS server via database stored procedures
- Potentially pivot to managed endpoints through malicious FortiClient policy updates
Fortinet has classified the vulnerability as Critical. The exploitation path requires no authentication and no user interaction, making it particularly dangerous in internet-exposed deployments.
Discovery and Exploitation Timeline
WatchTowr’s passive attacker sensor network first detected exploitation attempts against CVE-2026-35616 on March 31, 2026 — four days before Fortinet published its security advisory on April 4. This gap between first exploitation and vendor disclosure is particularly alarming, as it suggests that the vulnerability was either leaked within threat actor communities or independently discovered by malicious actors through reverse engineering of FortiClient EMS updates.
By the time Fortinet’s advisory went public, exploitation had already been observed across multiple sectors, including critical infrastructure, financial services, and healthcare organizations in Europe and North America.
Affected Versions
According to Fortinet’s advisory, the following FortiClient EMS versions are affected:
- FortiClient EMS 7.4.0 through 7.4.2
- FortiClient EMS 7.2.0 through 7.2.7
- FortiClient EMS 7.0.0 through 7.0.13
- FortiClient EMS 6.4.x (all versions — end of life, no patch available)
Organizations running version 6.4.x should prioritize migration to a supported version, as no patch will be released for end-of-life branches.
Why This Threat Demands Immediate Attention
FortiClient EMS servers are often exposed to the internet to support remote workforce management. Security scanning data from Shodan and Censys suggests tens of thousands of FortiClient EMS instances are publicly accessible, representing a massive attack surface. Nation-state groups and ransomware affiliates are known to aggressively scan for and exploit Fortinet vulnerabilities — the company’s products have been the subject of CISA emergency directives multiple times in recent years.
Additionally, because FortiClient EMS manages endpoint security policies, a compromised EMS server could be used to push malicious updates to all managed devices, effectively turning a single server breach into an enterprise-wide backdoor.
Immediate Mitigation Steps
Organizations using FortiClient EMS should take the following actions without delay:
- Update immediately: Apply Fortinet’s patches for CVE-2026-35616. Fixed versions are FortiClient EMS 7.4.3, 7.2.8, and 7.0.14.
- Restrict network access: If patching is not immediately possible, restrict access to the EMS management interface to trusted IP ranges only. Remove internet exposure entirely if feasible.
- Audit logs for signs of compromise: Look for unusual SQL activity, unexpected administrator account creation, and anomalous FortiClient policy changes pushed to endpoints.
- Review endpoint integrity: If compromise of the EMS server is suspected, validate that FortiClient endpoints have not received unauthorized policy changes.
- Contact Fortinet PSIRT if compromise indicators are found, as Fortinet’s security team is actively assisting affected organizations.
Context: A Pattern of Fortinet Exploits
CVE-2026-35616 is the latest in a long string of critical vulnerabilities affecting Fortinet products. Over the past three years, Fortinet vulnerabilities have been exploited by Chinese APT groups (Volt Typhoon), ransomware gangs, and cybercriminal syndicates with increasing frequency. Security practitioners have raised concerns about Fortinet’s secure development lifecycle, particularly around input validation in web-facing management interfaces. Fortinet has committed to improving its security practices, but this latest incident suggests the problem persists.
CISA has not yet added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog as of publication, but an update is expected imminently given the confirmed active exploitation.