Summary

A critical zero-day vulnerability, CVE-2026-35616, has been identified in Fortinet's FortiClient Enterprise Management Server (EMS). This vulnerability allows unauthenticated attackers to bypass authentication mechanisms, potentially leading to unauthorized code execution. Fortinet has confirmed active exploitation of this flaw in the wild and has released emergency patches to mitigate the risk. Immediate action is required to protect affected systems from potential compromise.

Affected Systems and/or Applications

• Product: FortiClient Enterprise Management Server (EMS)
• Affected Versions: FortiClient EMS versions 7.4.5 through 7.4.6
• Unaffected Versions: FortiClient EMS 7.2 and versions 7.4.7 and above (upon release)

Technical Details

CVE-2026-35616 is an improper access control vulnerability (CWE-284) that allows remote, unauthenticated attackers to execute arbitrary code via specially crafted requests. The vulnerability stems from inadequate validation of user credentials or session tokens for sensitive API endpoints. Exploitation of this flaw can lead to:

• Full control over the EMS, enabling configuration manipulation and data extraction.
• Deployment of malicious payloads to managed endpoints.
• Lateral movement within the network, escalating privileges and accessing critical systems.
• Data exfiltration and establishment of persistent access mechanisms.

Mitigation

1. Immediate Patching:
   • Apply the emergency hotfixes provided by Fortinet for versions 7.4.5 and 7.4.6.
   • Upgrade to FortiClient EMS version 7.4.7 once available, as it includes a permanent fix.
2. Network Segmentation:
   • Isolate the EMS server within a restricted network segment, limiting its exposure to the internet and other internal networks.
   • Implement strict firewall rules to control access to the EMS management interface.
3. Access Controls:
   • Enforce multi-factor authentication (MFA) for all administrative access to the EMS.
   • Regularly review and update access permissions to adhere to the principle of least privilege.
4. A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-35616 as they’re released. You can use that plugin to know if your client is vulnerable or not.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.

References

• Fortinet PSIRT Advisory FG-IR-26-099
• CISA Known Exploited Vulnerabilities Catalog
• Tenable Blog on CVE-2026-35616
• Security Arsenal Blog on CVE-2026-35616

‍