FortiClient EMS Zero-Day CVE-2026-35616: Patch Now
CVE-2026-35616 is a critical (CVSS 9.1) pre-authentication remote code execution zero-day in Fortinet FortiClient EMS — the management server that pushes endpoint-security policy to every FortiClient-managed device in an organisation. An unauthenticated attacker who reaches the EMS API can bypass all authentication and authorisation controls, execute arbitrary code on the server, and take command over the entire managed endpoint fleet without any valid credentials. Active exploitation was first recorded on 31 March 2026. CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalogue on 6 April 2026. An emergency hotfix is available now for affected versions 7.4.5 and 7.4.6 — apply it immediately.
CVE-2026-35616 at a Glance
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-35616 |
| CVSS Score | 9.1 (Critical) |
| Vulnerability Type | Improper access control — API authentication bypass |
| Attack Vector | Network (no credentials required, no user interaction) |
| Affected Versions | FortiClient EMS 7.4.5 and 7.4.6 |
| Emergency Hotfix | Available now for 7.4.5 and 7.4.6 — apply immediately |
| Permanent Fix | FortiClient EMS 7.4.7 (includes fix) |
| CISA KEV Added | 6 April 2026 |
| First Exploitation Observed | 31 March 2026 (watchTowr honeypot confirmation) |
What Is FortiClient EMS and Why Does This Matter?
FortiClient Endpoint Management Server (EMS) is the central management console for Fortinet endpoint-security deployments. It deploys FortiClient policies, manages endpoint compliance, enforces Zero Trust Network Access (ZTNA) rules, and maintains real-time telemetry across every managed endpoint in an organisation.
That centralised role is precisely what makes CVE-2026-35616 so serious. The EMS server is not just another application — it is the administrative brain that controls every endpoint it manages. A single unpatched EMS instance hands an attacker pre-authentication remote code execution over the entire managed fleet: laptops, servers, VPN-connected remote devices, and ZTNA-gated assets alike.
Fortinet is one of the most widely deployed network and endpoint-security vendors across Malaysian enterprises, financial institutions, and government agencies. For any organisation running FortiClient EMS 7.4.5 or 7.4.6, this is a same-week patch obligation — not a scheduled maintenance item.
How the Vulnerability Works
CVE-2026-35616 is an improper access control flaw in the FortiClient EMS REST API. Under normal operation, the API requires valid credentials before accepting management commands. The vulnerability allows an attacker to craft API requests that bypass authentication and authorisation checks entirely — without presenting credentials or triggering any authentication flow.
Once through, the attacker achieves remote code execution on the EMS server itself. From that position, an attacker can:
- Extract all endpoint telemetry and configuration data from the EMS database
- Push malicious policy updates to every managed FortiClient endpoint
- Revoke endpoint-security protections fleet-wide — disable AV, firewall rules, ZTNA policies
- Use the EMS server as a lateral movement pivot into internal networks
- Create persistent administrative access that survives reboots and patch cycles
The watchTowr research team first observed exploitation against honeypots on 31 March 2026 — before Fortinet had published its advisory. By 6 April 2026, CISA designated CVE-2026-35616 a Known Exploited Vulnerability with a mandatory remediation deadline of 9 April 2026 for US federal agencies. Exploitation activity has continued since.
Affected Versions and How to Patch
Only FortiClient EMS versions 7.4.5 and 7.4.6 are confirmed affected. Versions 7.4.4 and earlier are not vulnerable. FortiClient EMS 7.4.7 will include the permanent fix; however, waiting for 7.4.7 is not acceptable for currently deployed 7.4.5 or 7.4.6 instances.
Immediate action steps:
- Confirm your version: In FortiClient EMS, navigate to Help → About FortiClient EMS. If the version shows 7.4.5 or 7.4.6, proceed immediately.
- Isolate the EMS server: If the EMS management interface is reachable from the internet or from untrusted network segments, firewall it at the network layer now while you prepare the hotfix.
- Apply the emergency hotfix: Download from the Fortinet Support portal (support.fortinet.com) under FortiClient EMS → Firmware. The hotfix applies to both 7.4.5 and 7.4.6 without requiring system downtime.
- Verify the hotfix: After applying, confirm the version string reflects the patched build in the About screen.
- Review EMS audit logs: Check for anomalous API calls, unexpected administrator account creation, or unusual policy-push events from 1 March 2026 onwards. Exploitation may have occurred before patching.
- Plan upgrade to 7.4.7: Schedule the full version upgrade at your next maintenance window for the permanent fix.
Malaysian Compliance Context: BNM RMiT and NACSA CNII
For Malaysian organisations subject to Bank Negara Malaysia Risk Management in Technology (RMiT), Section 11.19 requires critical vulnerability patches to be applied within defined timescales. A CISA KEV designation — which CVE-2026-35616 holds — meets the “critical, actively exploited” threshold universally. Financial institutions running FortiClient EMS must treat this as a mandatory remediation item, not a recommendation.
NACSA’s Guidelines on Cyber Risk Management for Critical National Information Infrastructure operators similarly require timely patching of actively exploited vulnerabilities. Government ministries, statutory bodies, and CNII operators using FortiClient EMS should classify this as a P0 remediation item.
If your organisation does not have a 24/7 security operations capability monitoring for exploitation attempts against management infrastructure, a managed SOC engagement provides continuous detection of the specific API-access indicators that CVE-2026-35616 exploitation leaves in EMS audit logs.
Has Your Organisation Already Been Compromised?
Exploitation of CVE-2026-35616 began on 31 March 2026 — over two months ago. Any organisation running FortiClient EMS 7.4.5 or 7.4.6 with the management interface exposed during that period should assume potential compromise and conduct a security posture assessment alongside applying the hotfix.
Indicators of compromise to check in EMS audit logs:
- API requests to
/api/v1/endpoints from unfamiliar source IPs without prior authentication events - New administrator accounts created after 31 March 2026 that were not provisioned by your team
- Bulk endpoint-policy changes pushed outside your change-management windows
- ZTNA policy exceptions added for unfamiliar endpoints or IP ranges
If any of these indicators are present, preserve the EMS logs immediately and engage a penetration testing and incident response team before applying the patch — patching an already-compromised server without prior forensic preservation destroys evidence critical to understanding the scope of the breach.
Frequently Asked Questions
What is CVE-2026-35616?
CVE-2026-35616 is a critical (CVSS 9.1) improper access control vulnerability in Fortinet FortiClient EMS. It allows an unauthenticated attacker to send crafted API requests that bypass all authentication and authorisation controls, achieving remote code execution on the EMS server without valid credentials or user interaction.
Which versions of FortiClient EMS are affected by CVE-2026-35616?
FortiClient EMS versions 7.4.5 and 7.4.6 are affected. Versions 7.4.4 and earlier are not vulnerable. Fortinet has released an emergency hotfix for both affected versions; the permanent fix is included in FortiClient EMS 7.4.7.
What can an attacker do if FortiClient EMS is unpatched?
An attacker with network access to an unpatched FortiClient EMS instance can execute arbitrary code on the server without any authentication, extract all endpoint data and configurations, push malicious security-policy updates to every managed endpoint, disable endpoint-security controls fleet-wide, and use the EMS as a pivot point for lateral movement across internal networks.
Does CVE-2026-35616 affect the FortiClient endpoint agent on individual devices?
No — CVE-2026-35616 affects only FortiClient EMS (the server-side management platform), not the FortiClient endpoint agent installed on individual devices. However, because EMS controls all managed FortiClient endpoints, compromise of the EMS server puts the entire managed fleet at indirect risk.
Is Malaysia specifically at risk from CVE-2026-35616?
Yes. Fortinet is one of the most widely deployed cybersecurity vendors in Malaysian enterprises, financial institutions, and government agencies. Any Malaysian organisation running FortiClient EMS 7.4.5 or 7.4.6 is exposed. BNM RMiT and NACSA CNII guidelines both require timely patching of actively exploited critical vulnerabilities, and CVE-2026-35616 meets that threshold.
Need help verifying whether your FortiClient EMS deployment is exposed or already compromised? The Simply Data team provides emergency vulnerability assessments and incident response for Malaysian enterprises. Contact us for a same-day response.