What is CVE-2026-35616?
CVE-2026-35616 is an improper access control vulnerability (CWE-284) in Fortinet FortiClient EMS that allows an unauthenticated attacker to bypass API authentication and authorization checks and execute unauthorized code or commands via specially crafted requests. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical).
Exploitation requires no prior authentication and no user interaction. An attacker with network access to an exposed FortiClient EMS instance can send crafted API requests that the server fails to authenticate or authorize correctly, bypassing access controls entirely.
The practical impact spans unauthorized code execution, privilege escalation, and potential full compromise of the EMS host. Because FortiClient EMS acts as a central management server for endpoint security deployments, a successful attack can expose configurations, endpoint telemetry, and network access policies across an entire managed environment.
What assets are affected by CVE-2026-35616?
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6. The 7.2 branch is not affected, and the status of the 8.0 branch had not been confirmed in Fortinet's advisory at the time of writing. A permanent fix is expected in the forthcoming 7.4.7 release; hotfixes for the affected versions are currently available.
FortiClient EMS is typically deployed as an internet-connected management server by organizations using Fortinet's endpoint security products. Its role as a centralized policy and telemetry hub makes it a high-value target. Internet-wide scanning conducted shortly after disclosure identified nearly 2,000 publicly exposed EMS instances, though the proportion running vulnerable versions was not confirmed.
These assets tend to be overlooked in patch prioritization because EMS servers are often treated as internal management infrastructure rather than externally facing attack surface. In practice, many deployments expose the management API to the internet to support remote endpoint management, creating a direct attack path for unauthenticated exploitation.
Are fixes available?
A patch is partially available. Fortinet released emergency hotfixes for FortiClient EMS 7.4.5 and 7.4.6 on April 4, 2026, outside of its normal patch cycle. Fortinet has stated that the hotfixes are sufficient to prevent exploitation of CVE-2026-35616. A full software fix will be included in the upcoming FortiClient EMS 7.4.7 release, which had not shipped at the time of writing.
The 7.2 branch does not require remediation for this specific flaw. The advisory did not confirm whether the 8.0 branch is affected, and that status should be verified directly with Fortinet. Organizations should not assume they are protected based solely on branch version without consulting the current advisory.
Defenders should apply the available hotfix immediately and monitor the Fortinet PSIRT advisory (FG-IR-26-099) for updates, including the release date of version 7.4.7 and any revised scope regarding the 8.0 branch.
Are there any other recommended actions to take?
Organizations running FortiClient EMS should treat this as an emergency response situation. Apply the available hotfix to all instances running 7.4.5 or 7.4.6 without delay, and restrict network access to the EMS management API to trusted IP ranges where operationally possible. Audit internet-facing FortiClient EMS deployments and verify that no unauthorized access has occurred since March 31, when exploitation was first recorded. Monitor for anomalous API activity and review endpoint management configurations for signs of unauthorized policy changes or credential exposure.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-35616 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
