Security Intelligence
Loading table of contents...
At a glance: A critical FortiClient EMS vulnerability (CVE-2026-35616) is being actively exploited, allowing threat actors to bypass authentication and gain administrative control over affected servers. The impact could be significant because EMS centrally manages endpoint policies, software deployment, and security settings. Organizations running EMS versions 7.4.5 or 7.4.6 are urged to apply Fortinet’s hotfix immediately, restrict exposure, and review logs for suspicious activity dating back to March 31, 2026.
Threat summary
On April 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new FortiClient Enterprise Management Server (EMS) vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, noting active exploitation. Researchers had already reported zero-day activity earlier in the week, and the first exploitation attempts were observed against honeypots on March 31, 2026.
Fortinet released an out-of-band hotfix on April 4, 2026, tracking the flaw as CVE-2026-35616 (FG-IR-26-099), and confirmed that exploitation was underway at the time of the advisory. The hotfix builds were released for the affected FortiClient EMS versions 7.4.5 and 7.4.6, and the company states that the full permanent fix will be included in EMS 7.4.7.
CVE-2026-35616 allows a bypass of the authentication checks that protect the FortiClient EMS API. No credentials, user interaction, or prior access are required. If the EMS interface is reachable from the internet or from an untrusted internal segment, the server may accept malicious requests as if they came from a trusted source. Once the authentication bypass occurs, the threat actor could gain access to privileged EMS functions and execute commands with administrative authority. The flaw carries a Common Vulnerability Scoring System score of 9.8 out of 10.
Analysis
Threat actors have exploited CVE-2026-21643 earlier in March, but it remains unclear whether the same group is also behind the activity involving CVE-2026-35616. The timing aligns with a recurring pattern in which adversaries ramp up operations during holiday periods, when staffing levels and monitoring coverage are typically reduced.
The impact of the CVE-2026-35616 could be significant because EMS centrally manages endpoint policies, software deployment, and security settings. A successful attack could result in full control of the EMS server, unauthorized configuration changes, and the ability to distribute malicious payloads to all enrolled devices. The attack does not require advanced skills, and a single point of unauthorized access has the potential to create widespread operational disruption across the environment.
Organizations running FortiClient EMS 7.4.5 or 7.4.6 should prioritize applying the available hotfix and plan to upgrade to version 7.4.7 when it becomes available.
Restrict any internet‑exposed EMS instances to trusted networks or place them behind a secure access mechanism such as a VPN, identity‑aware proxy, or dedicated management jump host to ensure only authenticated and authorized administrators can reach the EMS interface.
Review log data from EMS servers for unauthorized API calls, unexpected command execution, or anomalous administrative activity dating back to March 31, 2026.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
