5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-35616 is a critical improper access control vulnerability in the FortiClient EMS API. The flaw allows an unauthenticated attacker to bypass authentication and authorization controls and execute unauthorized commands via crafted requests.
Successful exploitation may enable attackers to gain control of endpoint management systems, execute malicious operations, and potentially compromise managed endpoints across the environment.
This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Improper Access Control Vulnerability in Fortinet FortiClient EMS
Identifier: CVE-2026-35616
CVSS Score: 9.1 (Critical, CVSS v3.1)
PoC or Exploitation:
Fortinet has confirmed that this vulnerability is being actively exploited in the wild. It has also been added to CISA's Known Exploited Vulnerabilities catalog.
Update/ Patch:
Fortinet has released hotfixes to address this vulnerability.
Affected versions include:
FortiClient EMS 7.4.5FortiClient EMS 7.4.6
Not affected:
FortiClient EMS 7.2.x
Fixed / mitigation guidance:
Apply the vendor-provided hotfix for 7.4.5 and 7.4.6
Upgrade to FortiClient EMS 7.4.7 or later once available
Fortinet advisory and patch guidance:
Description:
CVE-2026-35616 is an improper access control vulnerability in the FortiClient EMS API. The vulnerability allows an unauthenticated attacker to execute unauthorized code or commands via crafted requests by bypassing authentication and authorization controls.
Mitigation Recommendation:
Immediately apply the Fortinet hotfix for affected FortiClient EMS versions.
Upgrade to FortiClient EMS 7.4.7 or later when available.
Ensure FortiClient EMS interfaces are not exposed to the public internet.
Restrict access to EMS APIs and web interfaces to trusted management networks only.
Monitor logs for suspicious API requests, authentication bypass attempts, or unauthorized command execution.
Conduct threat hunting and incident response activities on affected systems, especially those exposed externally, and rotate credentials if compromise is suspected.
