Blog

Fortinet FortiClient EMS – Unauthenticated Remote Code Execution (CVE-2026-35616)

fortinet

Critical Security Bulletin

Fortinet FortiClient EMS – Unauthenticated Remote Code Execution (CVE-2026-35616)
Advisory: Fortinet PSIRT FG-IR-26-099
Published: April 4, 2026
Severity: Critical (CVSS 9.1–9.8)
Status: Active exploitation observed

Executive Summary

A critical vulnerability in Fortinet FortiClient EMS (Endpoint Management Server) allows unauthenticated remote attackers to execute arbitrary code via crafted API requests. This issue, tracked as CVE-2026-35616, stems from improper access control in exposed API functionality and requires no authentication or user interaction.

Active exploitation has already been observed in the wild, elevating this from a patching priority to an immediate incident response concern.

Technical Overview

  • Vulnerability Type: Improper Access Control (CWE-284)
  • Attack Vector: Network (remote, unauthenticated)
  • Component: FortiClient EMS API
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

The flaw allows attackers to bypass API authentication controls and submit crafted requests that execute arbitrary code on the EMS server.

Root Cause

Failure to properly enforce authentication and authorization checks within API endpoints results in full trust of malicious input from unauthenticated sources.

Affected Systems

  • FortiClient EMS 7.4.5 through 7.4.6
  • FortiClient EMS 7.2: Not affected

Impact

Successful exploitation can result in:

  • Full compromise of the FortiClient EMS server
  • Remote code execution under the EMS service account
  • Creation of administrative users
  • Deployment of malware or ransomware
  • Lateral movement across managed endpoints

In environments where EMS is integrated with enterprise identity or endpoint enforcement, this becomes a centralized control-plane compromise.

Threat Intelligence

  • Exploitation has been confirmed in the wild as a zero-day.
  • Public exploit activity and research disclosures have already surfaced.
  • Fortinet products continue to be high-value targets for initial access operations, particularly in ransomware campaigns.

Detection Opportunities

Security teams should immediately review:

  • Unusual inbound traffic to EMS API endpoints
  • Unexpected process execution on EMS servers
  • Creation of new administrative accounts
  • Abnormal configuration changes within EMS
  • Lateral movement originating from EMS infrastructure

Recommended Data Sources

  • EDR telemetry (process execution, privilege escalation)
  • Network logs (Zeek, firewall, proxy)
  • Authentication logs (O365, AD, SSO)
  • EMS audit logs

Mitigation and Remediation

Immediate Actions

  1. Apply Fortinet Hotfix Immediately
    • Upgrade to FortiClient EMS 7.4.7 or later when available
  2. Restrict Network Access
    • Limit EMS exposure to trusted management networks only
    • Block public or internet-facing access where possible
  3. Validate Compromise
    • Assume breach if EMS is exposed externally
    • Conduct forensic review of:
      • System logs
      • Admin account creation
      • Endpoint policy changes
  4. Reduce Privilege Exposure
    • Ensure EMS service accounts do not run with unnecessary administrative privileges

Strategic Recommendations (CISO-Level)

  • Treat EMS and similar control-plane systems as Tier 0 assets
  • Enforce strict segmentation between management infrastructure and endpoints
  • Implement continuous vulnerability scanning for externally exposed services
  • Integrate EMS telemetry into SIEM/XDR for real-time detection
  • Establish rapid patch SLAs for internet-facing systems (<24 hours)

Critical Path Security Perspective

This vulnerability reinforces a consistent pattern:
Fortinet infrastructure continues to be a prime target for initial access, particularly where management interfaces are exposed or insufficiently segmented.

The combination of:

  • Unauthenticated access
  • Low complexity
  • Active exploitation

makes this a high-probability, high-impact event across enterprise environments.

If FortiClient EMS is deployed in your environment, this is not theoretical risk.
This is active attack surface.

References

  • Fortinet PSIRT Advisory FG-IR-26-099
  • National Vulnerability Database CVE-2026-35616
  • Tenable Research Threat analysis and exploitation confirmation
  • Cyber Security Agency of Singapore Active exploitation advisory