Fortinet FortiClient EMS Zero-Day Lets Unauthenticated Attackers Take Control
Fortinet issued an emergency hotfix for a critical zero-day in FortiClient EMS that was being actively exploited in the wild. The vulnerability, tracked as CVE-2026-35616 and documented in advisory FG-IR-26-099, affects FortiClient EMS versions 7.4.5 and 7.4.6 and allows an unauthenticated remote attacker to bypass API authentication and authorization. Fortinet rated the flaw 9.1 CVSSv3 and mapped it to CWE-284 Improper Access Control, warning that exploitation can enable arbitrary code or command execution and full control over endpoint management operations.
The issue was reported by Simo Kohonen of Defused and independent researcher Nguyen Duc Anh, with Defused identifying exploitation activity before public disclosure. Fortinet said 7.2.x is not affected, released hotfixes, and indicated that 7.4.7 will include the permanent fix. Organizations were urged to patch immediately, review EMS logs for suspicious unauthenticated API activity, and restrict external access to the EMS management interface wherever possible.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
NHS England issues high-severity alert on FortiClient EMS zero-day
NHS England issued a high-severity alert warning organizations about active exploitation of FortiClient EMS vulnerability CVE-2026-35616 and said further exploitation was almost certain in the near term. The alert expanded official warnings beyond the earlier U.S. and Singapore government advisories.
Bishop Fox publishes CVE-2026-35616 root-cause analysis and detection scanner
On 2026-04-07, Bishop Fox disclosed technical details showing FortiClient EMS trusted spoofable certificate-authentication headers and inadequately validated certificate chains, enabling unauthenticated API access. The firm also released a non-destructive scanner to help organizations determine whether Fortinet's hotfix had been applied.
U.S. and Singapore agencies warn on CVE-2026-35616 exploitation
On April 6, 2026, U.S. and Singapore government agencies issued urgent alerts about active exploitation of FortiClient EMS flaw CVE-2026-35616. CISA directed U.S. federal civilian agencies to apply Fortinet's hotfix by Thursday and advised organizations to assess exposure and check internet-facing systems for compromise.
Shadowserver warns 2,000+ FortiClient EMS instances are internet-exposed
Shadowserver Foundation reported that more than 2,000 FortiClient EMS instances were publicly exposed online, with the highest counts in the United States and Germany. The warning said CVE-2026-35616 and CVE-2026-21643 were being actively exploited in the wild, increasing the risk to exposed systems.
Fortinet publishes advisory FG-IR-26-099 and releases emergency hotfixes
On April 4, 2026, Fortinet disclosed CVE-2026-35616 in advisory FG-IR-26-099 and issued emergency hotfixes for affected FortiClient EMS versions. Fortinet said version 7.2.x is not affected and that version 7.4.7 will include the permanent fix.
Researchers identify FortiClient EMS zero-day and observe active exploitation
Defused researcher Simo Kohonen and independent researcher Nguyen Duc Anh discovered CVE-2026-35616 in FortiClient EMS, and Defused detected that the flaw was being actively exploited in the wild before public disclosure. The vulnerability allows unauthenticated attackers to bypass API authentication and authorization on affected 7.4.5 and 7.4.6 systems.
watchTowr records CVE-2026-35616 exploitation attempts in honeypots
watchTowr said its honeypots first observed exploitation attempts targeting CVE-2026-35616 on March 31, 2026. This provided an earlier dated indication of active exploitation against FortiClient EMS before Fortinet's public advisory.
Fortinet patches CVE-2026-21643 after warning of active exploitation
On 2026-02-06, Fortinet patched critical FortiClient EMS flaw CVE-2026-21643 and warned that it was being actively exploited in the wild. The vulnerability was later cited alongside CVE-2026-35616 as another actively targeted FortiClient EMS issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
24 references tracked. Mallory keeps watching after this page renders.
Fortinet Customers Confront Actively Exploited Zero-Day, With a Full Patch Still Pending
vulnu.com
Open sourceImmediate remediation of Fortinet FortiClient EMS bug ordered by CISA | brief | SC Media
scworld.com
Open sourceAL26-007 - Vulnerability impacting Fortinet FortiClientEMS - CVE-2026-35616 - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceU.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourcePSIRT | FortiGuard Labs
fortiguard.fortinet.com
Open sourceFortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616) - Help Net Security
helpnetsecurity.com
Open sourcePSIRT | FortiGuard Labs
fortiguard.com
Open sourceAttackers Target Zero-Day Flaw in Fortinet Security Software
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiClient EMS Authentication Bypass Enables Remote Code Execution
Fortinet disclosed a critical FortiClient Endpoint Management Server flaw, **CVE-2026-35616**, caused by improper access control in the EMS API that lets a remote, unauthenticated attacker bypass authentication and authorization and potentially execute code or commands on the host. Fortinet and CISA said the bug is being actively exploited as a zero-day, with affected versions identified as **FortiClientEMS 7.4.5 through 7.4.6**; the vendor directed customers to upgrade to **7.4.7** or apply available hotfixes. Reporting and public tooling indicate attackers have been scanning for exposed EMS instances and targeting enterprise environments including government, healthcare, and cryptocurrency organizations. Security researchers published detection guidance and an exposure-checking tool for internet-facing systems, while defenders were urged to restrict external access to EMS, review logs for suspicious API activity, and assess whether exploitation may have been paired with other recently disclosed FortiClient EMS weaknesses such as **CVE-2026-21643**.
May 29, 2026
Unauthenticated RCE in FortiClient EMS Is Being Actively Exploited
A critical vulnerability in **FortiClient EMS**, Fortinet’s endpoint management platform, allows **unauthenticated remote code execution** on affected servers. The issue impacts **FortiClient EMS 7.4.5 and 7.4.6**, exposing organizations that use the product to potential full compromise of the management system. Fortinet has reported **active exploitation in the wild**, and Finland’s National Cyber Security Centre has urged organizations to apply the available **hotfix immediately**. Because the flaw can be exploited without authentication, exposed FortiClient EMS instances should be treated as high priority for emergency remediation and compromise assessment.
Apr 20, 2026
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Mar 21, 2026