Fortinet FortiClient EMS CVE-2026-35616: Unauthenticated RCE Under Active Attack
Summary
Fortinet released an emergency patch for CVE-2026-35616, a critical improper access control vulnerability in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw allows unauthenticated attackers to execute arbitrary code or commands and was actively exploited as a zero-day before disclosure. Over 2,000 exposed instances were identified online.
Threat Analysis
CVE-2026-35616 is a critical improper access control vulnerability in Fortinet FortiClient Enterprise Management Server (EMS). The vulnerability allows unauthenticated remote attackers to execute code or commands through specially crafted requests. The flaw was discovered by cybersecurity firm Defused, who observed its exploitation as a zero-day before reporting it to Fortinet.
Affected Products: FortiClient EMS versions 7.4.5 and 7.4.6. Over 2,000 internet-exposed instances were identified at time of disclosure.
Exploitation Status: Actively exploited in the wild as a zero-day. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6, with a full fix available in version 7.4.7.
Context: This follows CVE-2026-21643, another critical FortiClient EMS flaw actively exploited the previous week, also discovered by Defused. The pattern suggests sustained targeting of Fortinet EMS infrastructure.
Recommended Mitigations: Install Fortinet hotfixes for FortiClient EMS 7.4.5 and 7.4.6 immediately, or upgrade to version 7.4.7. Restrict EMS management interface access to trusted IP ranges. Review EMS logs for signs of unauthorized access. Implement network segmentation to limit blast radius if EMS is compromised.