Fortinet has confirmed active exploitation of CVE-2026-35616 in the wild. The vulnerability was reportedly leveraged as a zero-day prior to disclosure, indicating that attackers had already identified and weaponized the flaw before patches were made available.
Security researchers observed exploitation targeting exposed FortiClient EMS instances, with internet scans identifying over 2,000 publicly accessible systems. This suggests both opportunistic scanning and potential targeted activity against organizations relying on EMS for endpoint management.
For more details, please refer to the Foritnet advisory.
Impact Assessment
This vulnerability introduces significant risk due to its pre-authentication nature and the central role of EMS within enterprise environments. Successful exploitation allows attackers to execute arbitrary commands without valid credentials.
Given that EMS is used to manage endpoints, compromise can lead to broader network access, deployment of malicious configurations, and potential lateral movement across managed systems. In environments where EMS is internet-exposed, the risk of compromise is considerably elevated.
Technical Details
CVE-2026-35616 is caused by an improper access control issue that allows attackers to bypass authentication and authorization mechanisms through specially crafted API requests. This effectively exposes a remote execution pathway without requiring prior access.
The flaw impacts FortiClient EMS versions 7.4.5 and 7.4.6, while version 7.2 is not affected. Fortinet has released emergency hotfixes and indicated that a permanent fix will be included in version 7.4.7.
Recommended Actions
- Apply the latest Fortinet hotfixes immediately for affected versions
- Upgrade to FortiClient EMS 7.4.7 once available
- Restrict EMS access from the internet and enforce access controls (VPN, IP allowlisting)
- Monitor for unusual API activity and unexpected command execution on management systems
- Conduct a compromise assessment if EMS was previously exposed
Stay Safe. Stay Secure
OP Innovate Research Team
