Fortinet has disclosed critical vulnerability CVE-2026-35616 (CVSS score 9.8) in FortiClient EMS, which is confirmed exploited in the wild since March 31, 2026. Attackers deliberately timed activity over the Easter holiday weekend to exploit reduced security team capacity and extend the window between compromise and detection.
FortiClient EMS is an enterprise endpoint management solution used by organizations worldwide to manage and enforce security policies across employee devices. The vulnerability stems from a missing access control enforcement in FortiClient EMS's API layer, classified under CWE-284 (Improper Access Control). Under normal operation, the EMS API is expected to authenticate and authorize every incoming request before executing any actions. In this case, that enforcement is absent.
Instead, the server processes crafted API requests without validating identity or permissions, allowing an attacker to invoke privileged API endpoints directly. Because the bypass occurs at the pre-authentication stage, a session token, credentials, or prior foothold are not required.
Since attackers can take complete control of affected systems without credentials or user interaction from anywhere on the internet, the consequences are severe. Successful exploitation grants an unauthenticated remote attacker arbitrary code execution on the FortiClient EMS server. Given EMS’s role as the management plane for endpoint security policy enforcement across an organization’s entire device fleet, a compromise at this layer effectively hands an attacker administrative control over every managed endpoint. This translates directly into potential ransomware deployment, credential harvesting, persistent backdoor installation, and unrestricted lateral movement across the environment.
Fortinet has released a hotfix for FortiClient EMS versions 7.4.5 and 7.4.6, and strongly urges all affected customers to apply it immediately. Where immediate patching is not possible, access to the FortiClient EMS server should be restricted to trusted IP ranges via firewall policy, and any direct internet exposure should be eliminated as an immediate priority. Organizations should treat this as an emergency response, not routine patch management.
This is the second critical unauthenticated vulnerability in FortiClient EMS disclosed within weeks, reinforcing the need for continuous, prioritized patching of internet-facing security infrastructure - the systems where a successful compromise carries the greatest organizational risk.
Holm Security will release the following test to scan for this vulnerability:
If you have any questions, don't hesitate to reach out.