Fortinet has confirmed that CVE-2026-35616, a critical improper access control vulnerability in FortiClient Endpoint Management Server (EMS), is being actively exploited in the wild. Carrying a CVSS score of 9.1, the flaw allows an unauthenticated attacker to bypass the product’s API authentication layer and escalate privileges to execute unauthorised code or commands on the server. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalogue on 6 April 2026, setting a remediation deadline of 9 April for Federal Civilian Executive Branch agencies — the shortest timeframe CISA typically issues, reserved for vulnerabilities under active federal targeting.
The Vulnerability
Classified as an improper access control issue (CWE-284), the flaw affects FortiClient EMS versions 7.4.5 and 7.4.6. FortiClient EMS is the Fortinet component responsible for deploying and managing FortiClient installations across an organisation’s endpoints, including the zero-trust network access (ZTNA) and VPN configuration policies that govern which users and devices can access corporate networks.
A successful exploit requires no credentials. An attacker who can reach the EMS management interface can craft requests that bypass authentication entirely and gain the ability to execute code on the server — effectively seizing control of the system responsible for enforcing endpoint access policy across the entire managed fleet. This is a particularly severe scenario because EMS is a trusted control plane: compromising it provides an attacker with the ability to modify access policies, disable endpoint protections, and potentially enrol attacker-controlled devices as trusted endpoints.
How Exploitation Was Detected
Security researchers at watchTowr observed exploitation attempts against their honeypots beginning 31 March 2026 — before public technical details were disclosed. Defused Cyber separately confirmed zero-day exploitation in production environments days later. The speed of weaponisation, measured in days from first detection to confirmed in-production exploitation, is consistent with a well-resourced threat actor that had prior knowledge of the vulnerability.
Fortinet responded by releasing an emergency hotfix rather than waiting for the full version 7.4.7 release cycle, acknowledging the severity and the active exploitation activity.
Who Is at Risk
Any organisation running FortiClient EMS 7.4.5 or 7.4.6 where the management interface is reachable — whether from the internet or from a compromised internal network segment — is exposed. EMS servers are typically positioned as centralised management infrastructure, which means a successful compromise delivers far more than server-level access: it hands an attacker control over endpoint security posture organisation-wide.
Environments using Fortinet’s ZTNA or SSL-VPN solutions, where EMS defines which endpoints are granted network access, should treat this as a near-maximum-severity incident requiring immediate response.
Recommended Actions
- Apply Fortinet’s emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately. The hotfix is available via the Fortinet customer support portal. Do not delay pending the 7.4.7 full release.
- Check whether the EMS management interface is internet-facing. If it is, restrict access to known management IP ranges at the firewall — regardless of patching status.
- Review EMS audit logs from 31 March onwards for anomalous API calls, unexpected configuration changes, and newly created administrative accounts.
- Verify endpoint policy integrity. Confirm that ZTNA, VPN, and endpoint compliance policies remain unchanged and that no unauthorised endpoints have been enrolled.
- Consult Fortinet PSIRT and watchTowr publications for the latest indicators of compromise associated with this vulnerability.
If the hotfix cannot be applied immediately, restricting network access to the EMS management interface to a dedicated management VLAN or jump host is the most effective interim mitigation available.