CVE-2026-35616: FortiClient EMS Pre-Auth API Bypass Under Active Exploitation
A critical zero-day in Fortinet's endpoint management server allows unauthenticated remote attackers to bypass API protections and execute arbitrary code. Exploitation began over the Easter weekend.
Fortinet has released emergency hotfixes for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient Endpoint Management Server (EMS). The vulnerability carries a CVSS score of 9.1 and is already being actively exploited in the wild. Fortinet published the advisory and shipped hotfixes over the Easter weekend after Defused Cyber reported observing zero-day exploitation earlier in the week.
The flaw allows an unauthenticated remote attacker to send specially crafted requests that bypass API authentication and authorization checks, ultimately enabling execution of unauthorized code or commands on the server. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6.
What is FortiClient EMS
FortiClient Endpoint Management Server is Fortinet's centralized platform for deploying, configuring, and monitoring security policies across devices running the FortiClient agent. It is a core component of many enterprise Fortinet deployments, managing endpoint telemetry, VPN configurations, vulnerability scanning, and compliance enforcement. Because EMS has visibility into and control over every managed endpoint, compromising it gives an attacker a foothold with extraordinary reach.
The vulnerability
CVE-2026-35616 is an improper access control flaw (CWE-284) in the FortiClient EMS API layer. The root cause is insufficient authentication and authorization enforcement on certain API endpoints. An attacker does not need any credentials to exploit it. By sending crafted HTTP requests to the EMS server, the attacker can bypass the API's security checks entirely and escalate to code execution.
The attack is remote, requires no user interaction, and has low complexity. All three impact dimensions (confidentiality, integrity, and availability) are rated High in the CVSS vector. In practical terms, anyone who can reach the EMS server over the network can compromise it without any prior access or social engineering.
Holiday weekend timing. According to watchTowr CEO Benjamin Harris, exploitation attempts against CVE-2026-35616 were first recorded against their honeypots on March 31. The Easter weekend timing was likely deliberate: security teams are understaffed, on-call engineers are distracted, and the gap between compromise and detection can stretch from hours to days.
Connection to CVE-2026-21643
This is the second critical FortiClient EMS zero-day to come under active exploitation in recent weeks. CVE-2026-21643 (CVSS 9.1), a SQL injection vulnerability in FortiClient EMS, was reported as exploited by Defused Cyber on March 28. Both flaws were discovered by Defused, with Nguyen Duc Anh also credited for CVE-2026-35616.
It is not yet known whether the same threat actor is behind both campaigns, or whether the two vulnerabilities are being chained together. However, the pattern is clear: attackers are actively probing FortiClient EMS as a high-value entry point into enterprise networks.
Affected versions and fixes
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6. The 7.2 branch is not affected. Fortinet has not stated whether the 8.0 branch is impacted. Hotfixes are available now, and a permanent fix will be included in the upcoming 7.4.7 release.
What to do
Apply the hotfix immediately. Fortinet has published hotfixes for both 7.4.5 and 7.4.6. These are sufficient to prevent exploitation entirely according to Fortinet's advisory.
Restrict network access to EMS. FortiClient EMS should not be exposed to the internet. If it is, restrict access to trusted management networks and VPN-only access immediately.
Check for signs of compromise. Review EMS server logs for unusual API requests, unexpected authentication events, or unfamiliar processes. The exploitation window has been open since at least March 31.
Assess exposure to CVE-2026-21643. If you have not already patched the SQL injection flaw from late March, do so now. The two vulnerabilities may be chained by the same threat actors.
Plan for the 7.4.7 upgrade. While the hotfix addresses the immediate risk, upgrading to 7.4.7 when available will include the permanent fix and should be scheduled as a follow-up.
Bigger picture
Fortinet products continue to be a favored target for attackers. Enterprise management servers like FortiClient EMS are particularly attractive because they sit at the center of endpoint security infrastructure, with credentials, policies, and network-wide control planes. Compromising EMS can give an attacker the ability to push malicious configurations to every managed endpoint, disable security controls, or exfiltrate telemetry data across the entire fleet.
The holiday weekend timing reinforces a well-established pattern in attacker behavior. Major vulnerability exploits frequently land on weekends and holidays when incident response capabilities are reduced. Organizations should ensure their patching and monitoring processes do not have coverage gaps during these periods.
Two critical zero-days in the same product within ten days, both discovered by the same research group, suggests that FortiClient EMS has become a focused target for both offensive researchers and threat actors. Organizations running FortiClient EMS should treat it as a high-risk asset and ensure it receives priority attention in vulnerability management programs.
