Active Exploitation of FortiClient EMS Authentication Bypass Enables Remote Code Execution
Fortinet disclosed a critical FortiClient Endpoint Management Server flaw, CVE-2026-35616, caused by improper access control in the EMS API that lets a remote, unauthenticated attacker bypass authentication and authorization and potentially execute code or commands on the host. Fortinet and CISA said the bug is being actively exploited as a zero-day, with affected versions identified as FortiClientEMS 7.4.5 through 7.4.6; the vendor directed customers to upgrade to 7.4.7 or apply available hotfixes.
Reporting and public tooling indicate attackers have been scanning for exposed EMS instances and targeting enterprise environments including government, healthcare, and cryptocurrency organizations. Security researchers published detection guidance and an exposure-checking tool for internet-facing systems, while defenders were urged to restrict external access to EMS, review logs for suspicious API activity, and assess whether exploitation may have been paired with other recently disclosed FortiClient EMS weaknesses such as CVE-2026-21643.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Attackers use FortiClient EMS to deploy EKZ Infostealer via fake patch
In May 2026, Arctic Wolf observed attackers exploiting CVE-2026-35616 to compromise FortiClient EMS and push a fake Fortinet update, FortiEndpoint_Patch.exe, to managed endpoints. The payload was identified as EKZ Infostealer, a previously unreported browser credential stealer that exfiltrated harvested data over HTTP to attacker-controlled infrastructure.
Bishop Fox publishes CVE-2026-35616 exposure check tool
A public GitHub repository for CVE-2026-35616 checking was published by Bishop Fox, providing defenders with a way to identify potentially vulnerable or exposed FortiClient EMS instances. This represented a new technical resource following disclosure of the actively exploited flaw.
CISA adds CVE-2026-35616 to Known Exploited Vulnerabilities catalog
CISA added Fortinet FortiClient EMS flaw CVE-2026-35616 to its Known Exploited Vulnerabilities catalog after disclosure of active exploitation. The listing formally recognized the bug as exploited in the wild and elevated urgency for remediation.
Fortinet issues remediation guidance for vulnerable FortiClient EMS versions
Fortinet identified affected versions as FortiClient EMS 7.4.5 through 7.4.6 and advised customers to upgrade to 7.4.7 or later or apply relevant hotfixes. Security guidance also emphasized restricting external access and monitoring for suspicious API activity.
Fortinet discloses CVE-2026-35616 and confirms active exploitation
Fortinet disclosed CVE-2026-35616, a critical improper access control flaw in FortiClient Endpoint Management Server that can let a remote unauthenticated attacker send crafted requests leading to unauthorized code or command execution. Fortinet and CISA confirmed the bug was being actively exploited in the wild.
Attackers begin exploiting CVE-2026-35616 in the wild
Exploitation of Fortinet FortiClient EMS vulnerability CVE-2026-35616 reportedly began in late March 2026, with automated scanning and attacks observed against exposed EMS systems. Reported targeting included organizations in government, healthcare, and cryptocurrency sectors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
New infostealer reaches enterprise devices through FortiClient EMS vulnerability - Help Net Security
helpnetsecurity.com
Open sourceCVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks
securityaffairs.com
Open sourceThreat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
thehackernews.com
Open sourceFortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware
cybersecuritynews.com
Open sourceAttackers exploited the FortiClient EMS bug as a 0-day
theregister.com
Open sourceGitHub - BishopFox/CVE-2026-35616-check · GitHub
github.com
Open sourceFortinet Zero-Day Exploit CVE-2026-35616 Under Attack
blog.cybernexora.com
Open sourceFortinet FortiClient EMS vulnerability: CVE-2026-35616
runzero.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Apr 20, 2026
Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in **FortiClient EMS** that was being actively exploited in the wild. The vulnerability, tracked as `CVE-2026-35616` and documented in advisory `FG-IR-26-099`, affects FortiClient EMS versions **7.4.5** and **7.4.6** and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw **9.1 CVSSv3** and mapped it to **CWE-284 Improper Access Control**, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations. The issue was reported by **Simo Kohonen** of Defused and independent researcher **Nguyen Duc Anh**, with Defused identifying exploitation activity before public disclosure. Fortinet said **7.2.x** is not affected, released hotfixes, and indicated that **7.4.7** will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
Apr 14, 2026
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Mar 21, 2026