CVE-2026-35616 puts FortiClient EMS at risk of unauthenticated code execution

CVE-2026-35616 puts FortiClient EMS at risk of unauthenticated code execution

Fortinet has disclosed a critical FortiClient EMS vulnerability that defenders should treat as an immediate priority. According to FG-IR-26-099, CVE-2026-35616 is an improper access control flaw in the product’s API that may allow an unauthenticated attacker to execute unauthorized code or commands through crafted requests. More importantly, Fortinet says it has already observed exploitation in the wild.

That combination matters. When a vulnerability hits an endpoint management platform and the vendor is already warning about active exploitation, the issue stops being a routine patch item. It becomes an initial-access and control-plane risk that can affect the systems meant to help manage and secure endpoints across the estate.

What Fortinet disclosed

Fortinet rates the issue Critical with a CVSS 3.1 score of 9.1. The advisory, CVRF, and CSAF material all point to the same core problem: an API authentication and authorization bypass in FortiClient EMS. While the advisory summary classifies the weakness as improper access control, Fortinet’s own reference text says the flaw may let an unauthenticated attacker execute unauthorized code or commands.

Affected versions are narrow but important:

• FortiClient EMS 7.4.5 through 7.4.6 are affected
• FortiClient EMS 7.2 is listed as not affected
• Upcoming 7.4.7 will include the fix

In the meantime, Fortinet is directing customers on 7.4.5 and 7.4.6 to install the vendor hotfixes documented in the EMS release notes rather than waiting for 7.4.7.

Why this deserves urgent attention

FortiClient EMS is not just another internal service. It is part of the infrastructure used to manage endpoint security and client deployments. A vulnerability in that layer can create outsized downstream risk because compromise may give an attacker privileged influence over a security-adjacent management plane.

Even without a public exploit chain, the risk profile is already clear:

• No authentication required according to the advisory context
• The exposed component is the API, which commonly becomes a high-value target when reachable from untrusted networks
• The vendor says exploitation has already been seen in the wild
• The flaw can lead to unauthorized code or command execution, which moves this beyond a simple information leak or low-grade admin issue

For defenders, that should trigger the same response pattern used for critical flaws in remote management consoles, VPN gateways, and internet-facing security tooling. If the system is reachable where it should not be, or if exposure assumptions are weak, the blast radius can grow quickly.

What to do now

🔴 Identify every FortiClient EMS instance on 7.4.5 or 7.4.6

• Confirm product versions across production, standby, and overlooked lab or regional deployments.
• Verify whether the EMS API is reachable from the internet or from broad internal network segments.

🔴 Apply Fortinet’s hotfix guidance immediately

• Use Fortinet’s documented hotfix path for 7.4.5 and 7.4.6.
• Do not wait for 7.4.7 if an affected version is currently deployed.
• Track completion and validate that the hotfix was applied successfully.

🔴 Treat this as potential compromise, not only patch debt

• Review logs and administrative activity around the EMS API.
• Hunt for unexpected command execution, unknown sessions, suspicious changes, or new artifacts that do not match planned admin actions.
• If exposure existed, involve incident response early rather than assuming patching alone closes the problem.

🟠 Reduce the management-plane attack surface

• Restrict access to EMS management and API interfaces.
• Apply tighter access control around administrator access and supporting systems.
• Use network segmentation so endpoint management infrastructure is not broadly reachable.

Strategic takeaway

CVE-2026-35616 is a strong reminder that management infrastructure can become a high-impact entry point when an unauthenticated flaw appears in the control plane. The headline is not only that FortiClient EMS has a critical bug. The bigger operational point is that Fortinet is already warning about real-world exploitation while affected customers may still be planning normal upgrade timing.

That is the wrong lens. If you run FortiClient EMS 7.4.5 or 7.4.6, the right question is not whether the next maintenance window is close enough. It is whether you can confidently say the hotfix is in place, exposure is constrained, and no one has already abused the API.

What is CVE-2026-35616?

It is a critical FortiClient EMS vulnerability tied to an API authentication and authorization bypass that may let an unauthenticated attacker execute unauthorized code or commands.

Which versions are affected?

Fortinet lists FortiClient EMS 7.4.5 through 7.4.6 as affected. FortiClient EMS 7.2 is listed as not affected.

Is this being exploited already?

Yes. Fortinet says it has observed exploitation in the wild.

What is the fix?

Fortinet is directing customers on affected versions to apply the vendor hotfixes now, while 7.4.7 is expected to include the fix going forward.

References

1. Fortinet PSIRT FG-IR-26-099
2. Fortinet CVRF for FG-IR-26-099
3. Fortinet CSAF for FG-IR-26-099
4. Installing an EMS hotfix | FortiClient 7.4.5
5. Installing an EMS hotfix | FortiClient 7.4.6