InSEKurity of the Week (CW14/2026): FortiClient EMS Unauthenticated Remote Code Execution (CVE-2026-35616)
Critical improper access control vulnerability in Fortinet FortiClient EMS actively exploited as zero-day - Unauthenticated API bypass leads to remote code execution
This week in our InSEKurity of the Week series: A critical improper access control vulnerability in Fortinet FortiClient EMS that was exploited as a zero-day in the wild, allowing unauthenticated attackers to bypass API authentication and execute arbitrary code on enterprise endpoint management servers.
π¨ Summary
- CVE ID: CVE-2026-35616
- CVSS 3.1 Score: 9.1 (Critical)
- CWE: CWE-284 (Improper Access Control)
- Affected Software: Fortinet FortiClient EMS 7.4.5 - 7.4.6
- Attack Vector: Network (Unauthenticated Remote Attack)
- Authentication Required: None
- Impact: Arbitrary code execution on the EMS server
- Patch Status: Hotfix available (full fix in 7.4.7)
- Published: April 2026
- Status: Actively Exploited (Zero-Day)
- CISA KEV: Added April 6, 2026
π What is FortiClient EMS?
FortiClient Enterprise Management Server (EMS) is Fortinetβs centralized endpoint management platform. It serves as the command and control hub for deploying, configuring, and managing FortiClient endpoint security agents across an entire organization.
Typical Use Cases
- Centralized Endpoint Management: Deployment and configuration of FortiClient agents across thousands of endpoints
- Security Policy Enforcement: Definition and distribution of endpoint security policies (antivirus, web filtering, VPN)
- Zero Trust Network Access (ZTNA): Tag-based access control for applications and network resources
- Vulnerability Scanning: Centralized vulnerability assessment and compliance monitoring
- VPN Management: Configuration and management of SSL/IPSec VPN connections for remote workers
- Telemetry and Reporting: Collection of endpoint security telemetry data for SOC operations
FortiClient EMS is widely deployed in enterprise environments and is a high-value target because compromising it gives an attacker control over the security posture of all managed endpoints. Fortinet holds a significant share of the enterprise security market with over 700,000 customers globally.
π Technical Analysis
Vulnerability Description
CVE-2026-35616 is an improper access control vulnerability in the API layer of FortiClient EMS. The vulnerability functions as a pre-authentication API access bypass that enables privilege escalation without any valid credentials. A remote, unauthenticated attacker can send specially crafted HTTP requests to the EMS server API, completely bypassing authentication and authorization controls.
Root Cause Analysis
The vulnerability is rooted in:
- Missing Authentication Enforcement: A specific API endpoint in the EMS server fails to enforce authentication checks, processing requests from any source without requiring a session token or valid credentials
- Improper Access Control (CWE-284): The API authorization layer does not properly validate whether the requesting entity has the required permissions
- Direct Code Execution Path: Once authentication is bypassed, the attacker reaches functionality that allows execution of arbitrary code or commands on the underlying server
Attack Vector
A typical exploitation proceeds as follows:
# Step 1: Attacker identifies a FortiClient EMS instance
# EMS typically runs on port 443 (HTTPS) or 8013
# Shodan/Censys can be used to identify exposed instances
# Step 2: Attacker crafts an unauthenticated API request
# targeting the vulnerable endpoint
POST /api/task/trigger HTTP/1.1
Host: forticlient-ems.target.com:443
Content-Type: application/json
# The request bypasses the authentication layer entirely
# No session token, no credentials, no authorization header required
# Step 3: The EMS server processes the request
# as if it came from an authenticated, privileged user
# Step 4: Attacker achieves code execution
# on the FortiClient EMS server
# Step 5: From the EMS server, the attacker can:
# - Push malicious policies to all managed endpoints
# - Disable endpoint protection across the organization
# - Harvest credentials and telemetry data
# - Pivot into the internal networkExploitation in the Wild
The timeline of active exploitation:
- March 31, 2026: First exploitation attempts recorded against watchTowr honeypots
- Early April 2026: Defused Cyber observes zero-day exploitation in customer environments
- April 4, 2026: Fortinet releases emergency hotfix and confirms active exploitation
- April 6, 2026: CISA adds CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog
- April 6, 2026: Public proof-of-concept identified on GitHub
Post-Exploitation Impact
Once an attacker achieves code execution on the EMS server, the consequences are severe:
- Endpoint Security Disablement: Push policies that disable antivirus, EDR, and web filtering on all managed endpoints
- Credential Harvesting: Access stored credentials, VPN configurations, and ZTNA tokens from the EMS database
- Lateral Movement: Use the EMS server as a pivot point to reach internal network segments
- Supply Chain Attack: Push malicious FortiClient updates or configurations to all managed endpoints
- Persistence: Establish backdoors through manipulated endpoint policies
- Data Exfiltration: Access telemetry data, security logs, and vulnerability scan results from all endpoints
β οΈ Impact Assessment
Immediate Impact
- Unauthenticated RCE: No credentials needed, maximum attack surface
- Zero-Day Exploitation: Attackers exploited the flaw before any patch was available
- Critical Infrastructure: EMS servers manage the security of entire endpoint fleets
- CISA KEV Listed: Federal agencies required to patch by April 9, 2026
Affected Versions
| Version | Status |
|---|---|
| FortiClient EMS 7.4.5 | Vulnerable - Hotfix available |
| FortiClient EMS 7.4.6 | Vulnerable - Hotfix available |
| FortiClient EMS < 7.4.5 | Not affected |
| FortiClient EMS 7.4.7+ | Not affected (upcoming) |
Affected Environments
Particularly at risk:
- Large Enterprises: With thousands of managed endpoints and centralized EMS deployments
- Managed Security Service Providers (MSSPs): Operating FortiClient EMS for multiple customers
- Government and Critical Infrastructure: With exposed or insufficiently segmented EMS servers
- Healthcare and Financial Services: With strict compliance requirements
- Remote/Hybrid Workforce Environments: Relying on FortiClient VPN managed through EMS
Attacker Profiles
The vulnerability is attractive for:
- APT Groups: For persistent access and endpoint control across entire organizations
- Ransomware Operators: Disabling endpoint protection before deploying ransomware
- Nation-State Actors: For espionage via endpoint telemetry and credential theft
- Initial Access Brokers: Selling access to compromised EMS environments
π‘οΈ Mitigation Strategies
Immediate Actions (Priority 1) β‘
CRITICAL: This vulnerability is being actively exploited as a zero-day - immediate action required!
-
Check Version:
# Check FortiClient EMS version # Via Web Console: Help > About # Or check the installed version on the server # Windows (typical EMS installation) wmic product where "name like '%%FortiClient%%EMS%%'" get name,version # Affected: 7.4.5 and 7.4.6 -
Apply Hotfix:
- Download and apply the emergency hotfix from the Fortinet Support Portal
- Hotfixes are available for both FortiClient EMS 7.4.5 and 7.4.6
- Plan upgrade to FortiClient EMS 7.4.7 when released for the full fix
-
Restrict Network Access:
# Restrict access to the EMS server to trusted networks only # EMS should NEVER be directly exposed to the internet # Example: Windows Firewall rule to restrict EMS access netsh advfirewall firewall add rule name="Restrict EMS API" ^ dir=in action=allow protocol=tcp localport=443 ^ remoteip=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 netsh advfirewall firewall add rule name="Block EMS External" ^ dir=in action=block protocol=tcp localport=443 -
Check for Compromise:
# Review EMS server logs for suspicious API activity # Default log location on Windows: # C:\Program Files\Fortinet\FortiClientEMS\logs\ # Search for unauthenticated API access patterns findstr /i "task/trigger" "C:\Program Files\Fortinet\FortiClientEMS\logs\ems.log" # Check for new or modified admin accounts # Via EMS Web Console: Administration > Admin Users # Review Windows Event Logs for suspicious process execution wevtutil qe Security /q:"*[System[(EventID=4688)]]" /c:50 /rd:true /f:text # Check for unusual network connections from the EMS server netstat -ano | findstr ESTABLISHED
Detection Measures π
Indicators of Compromise (IoCs):
# Monitor for unauthenticated API requests to the EMS server
# Look for requests to /api/task/trigger without valid session tokens
# Check for unusual processes spawned by the EMS service
wmic process where "parentprocessid=[EMS_PID]" get processid,name,commandline
# Review scheduled tasks for persistence mechanisms
schtasks /query /fo LIST /v | findstr /i "fortinet\|forticlient"
# Monitor outbound connections from the EMS server
netstat -ano | findstr "ESTABLISHED" | findstr /v "443\|8013\|8014"SIEM Rules:
- Monitor API requests to
/api/task/triggerwithout prior session authentication - Alert on new administrative accounts created in FortiClient EMS
- Detect policy changes pushed to endpoints outside of maintenance windows
- Monitor for unusual outbound connections from the EMS server
- Alert on mass endpoint policy changes or FortiClient agent reconfigurations
- Log all access to the EMS management interface from non-standard IP ranges
Long-term Security Improvements
- Network Segmentation: Isolate the EMS server in a dedicated management VLAN with strict access controls
- Patch Management: Subscribe to Fortinet PSIRT advisories for immediate notification of security updates
- Monitoring & Logging: Forward EMS logs to a centralized SIEM for real-time analysis
- Zero Trust Architecture: Implement additional authentication layers (MFA, certificate-based) for management access
- Regular Auditing: Periodically review EMS configurations, admin accounts, and endpoint policies
π― Why is this Critical?
- CVSS 9.1 - Critical: Near-maximum severity rating
- No Authentication Required: Any attacker with network access can exploit the vulnerability
- Zero-Day Exploitation: Attackers exploited the flaw before any patch existed
- Active Exploitation Confirmed: Observed in real-world attacks by multiple security firms
- CISA KEV Listed: Added to the Known Exploited Vulnerabilities catalog with a 3-day remediation deadline
- Massive Blast Radius: Compromising one EMS server can affect thousands of managed endpoints
- Public PoC Available: Proof-of-concept exploit code published on GitHub lowers the barrier for exploitation
- High-Value Target: EMS servers hold credentials, policies, and telemetry data for entire organizations
π Timeline and Disclosure
- March 31, 2026: First exploitation attempts detected on honeypots
- Early April 2026: Zero-day exploitation confirmed by Defused Cyber
- April 4, 2026: Fortinet releases emergency hotfix
- April 5, 2026: Fortinet publishes security advisory (FG-IR-26-071)
- April 6, 2026: CISA adds CVE-2026-35616 to KEV catalog (deadline: April 9, 2026)
- April 6, 2026: Public PoC published on GitHub
- Upcoming: FortiClient EMS 7.4.7 with full patch
π Resources and References
- CVE: CVE-2026-35616
- NVD: CVE-2026-35616
- Fortinet PSIRT Advisory: FG-IR-26-071
- CWE: CWE-284: Improper Access Control
- CISA KEV: Known Exploited Vulnerabilities Catalog
πΌ SEKurity Supports You
This critical zero-day vulnerability demonstrates the devastating potential of unauthenticated access to centralized endpoint management infrastructure. A single crafted API request can give attackers control over the security posture of an entire organization, disabling protection on thousands of endpoints simultaneously.
Our Services
- Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
- Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
- Security Awareness: Phishing campaigns, hacking demonstrations
Act now β before attackers do.
Contact:
π Website: www.sekurity.de
π§ Inquiries: www.sekurity.de/kontakt
π± LinkedIn: SEKurity GmbH
Your SEKurity Team β Your Trusted Adversaries
The security of your endpoint infrastructure is our drive.
Sources
- Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS - The Hacker News
- New FortiClient EMS flaw exploited in attacks, emergency patch released - BleepingComputer
- CVE-2026-35616: FortiClient EMS Flaw Under Active Exploitation - eSecurity Planet
- FortiClient EMS zero-day exploited, emergency hotfixes available - Help Net Security
- CISA Adds FortiClient EMS CVE-2026-35616 to KEV Catalog - CISA
- CVE-2026-35616 Fortinet FortiClientEMS zero-day exploited - Tenable
- Fortinet FortiClient EMS vulnerability: CVE-2026-35616 - runZero
About the Author
SEKurity Team
Offensive Security Experts
The SEKurity GmbH team consists of experienced penetration testers, security researchers, and cybersecurity consultants. Under the motto 'Your Trusted Adversaries', we support organizations in evaluating their IT security from an attacker's perspective and improving it.
Related Articles
InSEKurity of the Week (CW04/2026): Cisco Unified Communications Manager Zero-Day (CVE-2026-20045)
Critical zero-day vulnerability in Cisco Unified Communications Manager and Webex actively exploited - Root access via code injection possible
InSEKurity of the Week (CW07/2026): Windows Shell SmartScreen Bypass Zero-Day (CVE-2026-21510)
Critical zero-day vulnerability in Windows Shell allows attackers to bypass SmartScreen and Mark of the Web protections through a single malicious click
InSEKurity of the Week (CW13/2026): Cisco Catalyst SD-WAN Manager Authentication Bypass (CVE-2026-20129)
Critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager actively exploited - Unauthenticated access with netadmin privileges possible