Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
India
Middle East
Fortinet has disclosed critical vulnerability CVE-2026-35616 (CVSS score 9.8) in FortiClient EMS, which is confirmed exploited in the wild since March 31, 2026. Attackers deliberately timed activity over the Easter holiday weekend to exploit reduced security team capacity and extend the window between compromise and detection.
How the vulnerability works
FortiClient EMS is an enterprise endpoint management solution used by organizations worldwide to manage and enforce security policies across employee devices. The vulnerability stems from a missing access control enforcement in FortiClient EMS's API layer, classified under CWE-284 (Improper Access Control). Under normal operation, the EMS API is expected to authenticate and authorize every incoming request before executing any actions. In this case, that enforcement is absent.
Instead, the server processes crafted API requests without validating identity or permissions, allowing an attacker to invoke privileged API endpoints directly. Because the bypass occurs at the pre-authentication stage, a session token, credentials, or prior foothold are not required.
Why this is dangerous
Since attackers can take complete control of affected systems without credentials or user interaction from anywhere on the internet, the consequences are severe. Successful exploitation grants an unauthenticated remote attacker arbitrary code execution on the FortiClient EMS server. Given EMS’s role as the management plane for endpoint security policy enforcement across an organization’s entire device fleet, a compromise at this layer effectively hands an attacker administrative control over every managed endpoint. This translates directly into potential ransomware deployment, credential harvesting, persistent backdoor installation, and unrestricted lateral movement across the environment.
Mitigation and next steps
Fortinet has released a hotfix for FortiClient EMS versions 7.4.5 and 7.4.6, and strongly urges all affected customers to apply it immediately. Where immediate patching is not possible, access to the FortiClient EMS server should be restricted to trusted IP ranges via firewall policy, and any direct internet exposure should be eliminated as an immediate priority. Organizations should treat this as an emergency response, not routine patch management.
This is the second critical unauthenticated vulnerability in FortiClient EMS disclosed within weeks, reinforcing the need for continuous, prioritized patching of internet-facing security infrastructure - the systems where a successful compromise carries the greatest organizational risk.
Holm Security’s response
Holm Security will release the following test to scan for this vulnerability:
- HID-2-1-5321365
Fortinet FortiClient EMS API Authentication and Authorization Bypass Vulnerability (FG-IR-26-099)
Need help?
If you have any questions, don't hesitate to reach out.
Mihail Lupan
Head of Security Research
Mihail has extensive expertise in vulnerability management and over 10 years’ experience in IT and cyber security. With a strong foundation in software development, including automation and automotive industries, he leads the Security Research team and is responsible for all vulnerability tests across the company’s suite of vulnerability scanners.
