🌐 Network

Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited β€” Emergency Hotfix Available

A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.

3 min read
#fortinet#zero-day#rce#forticlient#ems#cisa-kev#pre-authentication

A critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server has been actively exploited in the wild since at least 31 March 2026 β€” four days before Fortinet published its official advisory. Organisations running FortiClient EMS versions 7.4.5 or 7.4.6 should apply the emergency hotfix immediately and audit for signs of compromise.

What the Vulnerability Does

CVE-2026-35616 is an improper access control flaw (CWE-284) that enables an unauthenticated attacker to execute arbitrary code or commands on a FortiClient EMS server via crafted HTTP requests. The vulnerability lies in the API layer: access controls on certain endpoints are not enforced before authentication, meaning a threat actor with network access to the EMS management interface can achieve remote code execution without supplying any credentials.

CVSS scores across different analytical sources range from 9.1 to 9.8, reflecting the combination of network-accessible attack vector, no authentication requirement, no user interaction, and high-impact code execution on a system that typically holds endpoint security configuration for an entire organisation.

Discovery and Exploitation Timeline

watchTowr’s Attacker Eye sensors detected active exploitation on 31 March 2026, before any public advisory existed. Fortinet published its advisory on 4 April. CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalogue on 6 April, setting a compliance deadline of 9 April for Federal Civilian Executive Branch agencies. That seven-day window from discovery to federal mandate reflects CISA’s assessment of the immediate risk.

The exploit was leveraged as a zero-day in the wild, meaning organisations had no patch available during the initial exploitation window. The gap between detection by watchTowr sensors and the Fortinet advisory publication underscores the risk of assuming vendor timelines are aligned with attacker timelines.

Affected Versions

Only FortiClient EMS 7.4.5 and 7.4.6 are affected. EMS versions 7.2 and below are not vulnerable. Organisations on older version branches are not exposed β€” but should note that 7.2.x is approaching end-of-life.

Remediation

Fortinet has released an out-of-band hotfix for both 7.4.5 and 7.4.6 that can be applied without system downtime. The full fix is incorporated into the forthcoming 7.4.7 release. Apply the hotfix as an emergency priority; do not wait for the scheduled 7.4.7 release.

  1. Apply the Fortinet hotfix immediately for FortiClient EMS 7.4.5 and 7.4.6. This is a CISA KEV item with confirmed in-the-wild exploitation.
  2. Restrict network access to the EMS management interface. It should not be reachable from the internet or untrusted network segments. Place it behind a management VLAN with firewall rules.
  3. Review EMS access logs from 25 March onwards for unexpected API calls, new administrative accounts, or configuration changes that were not authorised.
  4. Check connected endpoints: If EMS was compromised, threat actors may have pushed malicious FortiClient configurations or collected credentials from managed endpoints. Audit endpoint configurations for unexpected changes.
  5. Rotate EMS service account credentials and any API keys used by integrations with EMS.

The targeting of Fortinet management infrastructure is consistent with a pattern seen in prior Fortinet zero-day campaigns, where attackers focus on security appliances to obtain network-level persistence before pivoting to internal systems.