Active Exploitation

FortiClient EMS hotfixes exploited API auth bypass

1 min readPublished 04 Apr 2026Source: Fortinet PSIRT (FortiGuard Labs)

CVE-2026-35616 News Zero-Day Authorization

TL;DR — A critical access-control flaw in FortiClient EMS’s API can let unauthenticated attackers execute unauthorized code/commands via crafted requests; apply Fortinet’s hotfix guidance for affected releases.

What happened

FortiClient Endpoint Management Server (EMS) is Fortinet’s centralized management plane for deploying, configuring, and monitoring FortiClient endpoints across an organization.

Fortinet PSIRT advisory FG-IR-26-099 discloses CVE-2026-35616, an Improper Access Control (CWE-284) issue described as an “API authentication and authorization bypass”. The advisory states the bug can allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Fortinet’s narrative text says it has observed exploitation in the wild, even though the same advisory’s metadata field lists “Known Exploited: No” — treat this as a high-confidence, high-urgency internet-exposure risk given EMS’s role as a privileged management system.

Who is impacted

Organizations running FortiClientEMS 7.4.5 through 7.4.6.
Deployments where EMS is reachable by untrusted networks (common for distributed fleets and remote endpoints).

Product line	Affected versions (per advisory)	Vendor-recommended remediation (per advisory)
`FortiClientEMS 7.4`	`7.4.5` through `7.4.6`	Install the hotfix (via Fortinet docs) and/or “Upgrade to upcoming `7.4.7` or above”
`FortiClientEMS 7.2`	Not affected	Not applicable

What to do now

Follow vendor remediation guidance and apply Fortinet’s hotfix instructions for your deployed branch.
- "Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix"
Use the vendor-linked instructions for the impacted releases:
- https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484
- https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484
If you run EMS in production, treat this as a management-plane compromise class until ruled out:
- Inventory all EMS instances and verify which are on 7.4.5–7.4.6.
- Review ingress logs/proxy logs for anomalous request patterns targeting EMS API endpoints around the disclosure window.
- Rotate credentials and tokens accessible to the EMS host (service accounts, deployment keys, API tokens) if you suspect exposure or exploitation.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.