Fortinet has released emergency patches for a critical zero-day vulnerability in FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616, which was already being actively exploited in the wild before the advisory was published. With a CVSS score of 9.1, this improper access control flaw allows unauthenticated attackers to execute arbitrary code on vulnerable EMS servers — no credentials required.
What Is CVE-2026-35616?
CVE-2026-35616 is an improper access control vulnerability residing in the FortiClient EMS API layer. The flaw allows a remote, unauthenticated attacker to send crafted HTTP requests that bypass the server’s authentication and authorization controls entirely, leading to arbitrary code or command execution on the underlying host system.
FortiClient EMS is a critical piece of enterprise infrastructure. It manages endpoint policy enforcement, VPN access configurations, application control, and compliance posture across corporate devices. Compromising an EMS server gives an attacker the ability to manipulate endpoint configurations, push malicious policies to thousands of managed devices, and pivot laterally into the broader corporate environment.
Active Exploitation Before Patch
The timeline of this vulnerability is particularly alarming. Exploitation of CVE-2026-35616 was first detected on March 31, 2026 — four days before Fortinet published its official security advisory on April 4, 2026. This means that attackers were already inside affected environments when the disclosure went public.
Security firm watchTowr, which conducted independent analysis, confirmed that active exploitation was underway and that attackers had established persistent access to multiple enterprise environments before the vulnerability became publicly known. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, imposing a remediation deadline of April 27, 2026, for Federal Civilian Executive Branch agencies.
Affected Versions
The vulnerability specifically impacts the following FortiClient EMS versions:
- FortiClientEMS 7.4.5
- FortiClientEMS 7.4.6
Importantly, the 7.2 branch is not affected. Organizations running the 7.2.x line do not need to apply the emergency hotfix for this particular flaw, though maintaining up-to-date software is always recommended.
Why This Is Especially Dangerous
The combination of factors surrounding CVE-2026-35616 makes it particularly severe:
- Pre-authentication exploitation: No user credentials or prior access are needed to exploit the flaw.
- No user interaction required: The attack is fully remote and automated, making it trivially scriptable.
- High-value target: EMS servers sit at the heart of corporate endpoint management — compromising one grants broad control over all managed devices.
- Lateral movement potential: An attacker controlling EMS can push malicious configurations, disable security controls, or install further payloads across the entire managed fleet.
- Known exploitation in the wild: This is not a theoretical threat — real-world attacks were observed before the patch was available.
Remediation Steps
Fortinet has released a hotfix available through its support portal that can be applied while organizations await the forthcoming full patch in FortiClient EMS version 7.4.7. The following remediation actions are recommended:
- Apply the Fortinet emergency hotfix immediately via the official Fortinet support portal.
- Restrict network access to the FortiClient EMS server — it should not be directly internet-accessible.
- Review EMS server logs for evidence of unauthorized API access or anomalous requests dating back to at least March 31, 2026.
- Audit managed endpoint configurations for unexpected policy changes or newly pushed software.
- Upgrade to FortiClientEMS 7.4.7 as soon as it becomes available.
Broader Context: Fortinet Under Fire
This is not the first time Fortinet products have found themselves at the center of a critical zero-day disclosure. The company has faced a series of high-severity vulnerabilities in recent years, including flaws in FortiOS, FortiGate, and now FortiClient EMS. The frequency with which Fortinet vulnerabilities appear on CISA’s KEV catalog underscores the attractiveness of the company’s products as targets — widely deployed in enterprise and government environments, they represent high-value attack surfaces for both nation-state actors and financially motivated cybercriminals.
Security teams using Fortinet products should treat patch management for these systems as an urgent priority and ensure that FortiClient EMS servers are never exposed directly to the internet.
Conclusion
CVE-2026-35616 represents a textbook case of why zero-day vulnerabilities in enterprise security infrastructure are so dangerous. The combination of a CVSS 9.1 score, pre-authentication exploitation, active in-the-wild attacks, and the strategic value of EMS servers makes this a critical-priority patch for any organization running the affected versions. Apply the Fortinet hotfix now and begin hunting for signs of compromise dating back to late March 2026.