Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in FortiClient EMS, Fortinet’s endpoint management platform, allows unauthenticated remote code execution on affected servers. The issue impacts FortiClient EMS 7.4.5 and 7.4.6, exposing organizations that use the product to potential full compromise of the management system.
Fortinet has reported active exploitation in the wild, and Finland’s National Cyber Security Centre has urged organizations to apply the available hotfix immediately. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Fortinet releases hotfix for vulnerable FortiClient EMS versions
A hotfix was released for the FortiClient EMS vulnerability affecting versions 7.4.5 and 7.4.6. Authorities recommended organizations install the fix immediately due to the risk of compromise.
FortiClient EMS vulnerability is actively exploited in the wild
A vulnerability affecting FortiClient EMS versions 7.4.5 and 7.4.6 was reported as allowing unauthenticated arbitrary code execution on affected systems. The vendor stated it had observed active exploitation of the flaw in the wild.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
FortiClient EMS -tuotteen haavoittuvuus altistaa murrolle | Kyberturvallisuuskeskus
kyberturvallisuuskeskus.fi
Open sourceFortiClient EMS -tuotteen haavoittuvuus altistaa murrolle | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiClient EMS Authentication Bypass Enables Remote Code Execution
Fortinet disclosed a critical FortiClient Endpoint Management Server flaw, **CVE-2026-35616**, caused by improper access control in the EMS API that lets a remote, unauthenticated attacker bypass authentication and authorization and potentially execute code or commands on the host. Fortinet and CISA said the bug is being actively exploited as a zero-day, with affected versions identified as **FortiClientEMS 7.4.5 through 7.4.6**; the vendor directed customers to upgrade to **7.4.7** or apply available hotfixes. Reporting and public tooling indicate attackers have been scanning for exposed EMS instances and targeting enterprise environments including government, healthcare, and cryptocurrency organizations. Security researchers published detection guidance and an exposure-checking tool for internet-facing systems, while defenders were urged to restrict external access to EMS, review logs for suspicious API activity, and assess whether exploitation may have been paired with other recently disclosed FortiClient EMS weaknesses such as **CVE-2026-21643**.
May 29, 2026
Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in **FortiClient EMS** that was being actively exploited in the wild. The vulnerability, tracked as `CVE-2026-35616` and documented in advisory `FG-IR-26-099`, affects FortiClient EMS versions **7.4.5** and **7.4.6** and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw **9.1 CVSSv3** and mapped it to **CWE-284 Improper Access Control**, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations. The issue was reported by **Simo Kohonen** of Defused and independent researcher **Nguyen Duc Anh**, with Defused identifying exploitation activity before public disclosure. Fortinet said **7.2.x** is not affected, released hotfixes, and indicated that **7.4.7** will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
Apr 14, 2026
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Mar 21, 2026