- CVE-2026-35616 is a critical zero-day in FortiClient EMS with a CVSS score of 9.1, already confirmed as actively exploited in the wild before the patch was even released.
- Only FortiClient EMS versions 7.4.5 and 7.4.6 are affected — version 7.2.x is safe, and a permanent fix is coming in 7.4.7.
- The flaw lives in the API layer and requires no authentication, meaning attackers can execute unauthorized commands without ever logging in.
- This is the second critical FortiClient EMS vulnerability exploited in attacks within days — a pattern that demands immediate escalation, not routine patch scheduling.
- Emergency hotfixes are available right now — keep reading to get the exact steps to apply them before attackers reach your environment.
Attackers are already inside vulnerable systems — if you’re running FortiClient EMS 7.4.5 or 7.4.6, the window to act is closing fast.
Fortinet issued an emergency out-of-band security advisory (FG-IR-26-099) on a Saturday — a move that signals just how serious this situation is. Weekend releases are rare, reserved for threats too dangerous to wait for a regular patch cycle. Organizations that treat this like a routine Tuesday update are handing attackers a head start they don’t need.
For businesses relying on endpoint security infrastructure, understanding the mechanics of this vulnerability isn’t optional — it’s the difference between a contained incident and a full breach. Security teams at Defused were among the first to detect live exploitation through their Radar threat intelligence feature, which triggered Fortinet’s emergency response timeline.
A Critical FortiClient EMS Zero-Day Is Being Exploited Right Now
This isn’t a theoretical risk or a proof-of-concept sitting in a researcher’s lab. Fortinet’s own advisory confirms active exploitation in the wild, which means real threat actors are already running exploit code against unpatched systems at this moment. In related news, a recent attack campaign has targeted corporate logins, highlighting the urgency of addressing these vulnerabilities.
CVE-2026-35616 Carries a 9.1 CVSS Score
A CVSS score of 9.1 puts CVE-2026-35616 firmly in the Critical severity tier. To put that in context, scores above 9.0 represent vulnerabilities where exploitation is straightforward, the impact is severe, and little to no attacker skill is required. The specific scoring reflects a combination of network-based attack vector, low attack complexity, and no privileges or user interaction required — a trifecta that makes this flaw exceptionally dangerous in any internet-exposed deployment.
The vulnerability is classified under CWE-284 (Improper Access Control), meaning the root cause is a failure in how the system enforces who is allowed to do what. In practice, this allows crafted API requests to bypass access controls entirely and execute unauthorized code or commands on the server. For more information, you can read about the Fortinet patches addressing this issue.
Only FortiClient EMS 7.4.5 and 7.4.6 Are Affected
If your organization is running FortiClient EMS 7.2.x, you are not affected and no action is required for this specific CVE. The vulnerable versions are exclusively 7.4.5 and 7.4.6. Fortinet has made emergency hotfixes available for both affected builds while the permanent fix — scheduled for FortiClient EMS 7.4.7 — is finalized.
This version-specific scoping actually matters operationally. Before anything else, your team needs to confirm exactly which version is deployed across your environment. Organizations running mixed or undocumented versions should treat version verification as step zero in their response playbook.
Exploitation Was Confirmed Before the Patch Was Released
One of the most critical details buried in Fortinet’s advisory is the timeline: exploitation was observed before the hotfix was made available. That makes CVE-2026-35616 a true zero-day by definition — a vulnerability that was weaponized while defenders had zero days to prepare. This isn’t a case of researchers finding something in a lab; attackers found it first and used it.
Fortinet’s language in the advisory is direct: “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix.” That phrasing — “urges” combined with a Saturday release — carries significant weight from a vendor that typically follows scheduled disclosure timelines.
The confirmed pre-patch exploitation also means that if your FortiClient EMS was internet-exposed during the vulnerability window, you shouldn’t just patch — you should also conduct a thorough forensic review of logs and API activity to determine whether compromise already occurred.
What CVE-2026-35616 Actually Does to Your System
Understanding what this vulnerability enables technically is critical for assessing your actual exposure. Here is what attackers can do once they exploit CVE-2026-35616: they can initiate unauthorized access and potentially launch cyberattacks similar to recent high-profile incidents.
- Send crafted, unauthenticated API requests directly to the FortiClient EMS server
- Bypass all access controls due to improper enforcement at the API layer (CWE-284)
- Execute unauthorized code or commands on the underlying server without valid credentials
- Escalate privileges — Fortinet’s advisory lists privilege escalation as the primary impact
- Pivot deeper into the network from the compromised EMS server, which by design has broad visibility into managed endpoints
The EMS server is a high-value target precisely because it manages endpoint security configurations across an entire organization. Compromising it doesn’t just mean owning one server — it means an attacker potentially has leverage over every endpoint that EMS manages.
No Login Required: How the API Bypass Works
The flaw resides specifically in the API layer of FortiClient EMS. Attackers craft malicious requests that reach endpoints within the API without triggering the authentication checks that should gate them. Because the access control enforcement is improperly implemented at this layer, the server processes those requests as if they were legitimate — no username, no password, no session token required.
From Bypass to Full Command Execution
Once the authentication gate is bypassed, the path to code execution is direct. Crafted requests can instruct the server to execute commands, and because EMS runs with elevated system privileges by design, those commands inherit those same privileges. What starts as an API misconfiguration becomes root-level or SYSTEM-level access on the server within a single exploit chain.
Why Pre-Authentication Flaws Are Especially Dangerous
Most vulnerabilities require at least a foothold — a valid account, a phished credential, some prior access. Pre-authentication flaws eliminate that requirement entirely. Any attacker who can reach the EMS management interface over the network can attempt exploitation. For organizations with EMS exposed to the internet, that means the entire global threat landscape is your attack surface, not just targeted adversaries.
This attack profile also defeats many layered security assumptions. Endpoint detection tools, identity-based controls, and credential monitoring don’t catch what never authenticates. The only reliable defenses at this stage are network-level access restrictions and applying the patch.
How This Zero-Day Was Discovered
The discovery timeline for CVE-2026-35616 is notable because it wasn’t a traditional researcher submission — it was caught by active threat intelligence monitoring during live exploitation. Defused’s Radar feature detected anomalous activity consistent with exploitation attempts against FortiClient EMS infrastructure, which set the responsible disclosure chain in motion and ultimately forced Fortinet’s hand on the emergency release timeline.
This type of detection — catching a zero-day through behavioral signals during active attack campaigns rather than through static code auditing — highlights a growing reality in vulnerability management: by the time a CVE gets a number, the exploitation may already be underway. Threat intelligence that monitors live attack infrastructure is increasingly the earliest warning system available to defenders, as seen in the Kubernetes attacks by TeamPCP.
Defused’s Radar Feature Caught Live Exploitation First
Defused’s Radar feature operates by continuously monitoring attack infrastructure, tracking exploit patterns, and correlating threat signals across global telemetry — not waiting for a CVE to be filed before raising the alarm. In the case of CVE-2026-35616, Radar detected active exploitation attempts targeting FortiClient EMS API endpoints before any public disclosure existed. That kind of real-time visibility is what separates reactive patching from genuine threat intelligence.
The detection came through behavioral anomalies — specifically, crafted unauthenticated API requests that matched no legitimate usage pattern but aligned with privilege escalation behavior on EMS servers. Catching that signal during live exploitation, rather than in a controlled research environment, is what ultimately compressed the timeline from vulnerability discovery to emergency hotfix release.
Responsible Disclosure Triggered Fortinet’s Emergency Response
Once active exploitation was confirmed through Radar, Defused followed responsible disclosure protocols — notifying Fortinet directly with technical details, proof-of-concept behavior, and evidence of in-the-wild exploitation. That combination of confirmed active abuse and technical depth left Fortinet with little choice but to treat this as an emergency rather than a scheduled patch cycle item. For similar instances of cybersecurity breaches, you can read about the Telus digital data breach.
The result was a Saturday advisory release — something Fortinet reserves for situations where the risk of waiting even 48 hours is unacceptable. The advisory’s language, urging customers to install the hotfix immediately, reflects exactly how seriously Fortinet received the disclosure. Responsible disclosure done right doesn’t just protect one vendor’s customers — it compresses the exploitation window for everyone.
- Defused detected live exploitation through behavioral API anomalies before any CVE was assigned
- Technical details and exploitation evidence were packaged and delivered to Fortinet directly
- Fortinet issued an emergency Saturday advisory — bypassing normal patch scheduling entirely
- Hotfixes were made available immediately for both FortiClient EMS 7.4.5 and 7.4.6
- A permanent fix was fast-tracked for inclusion in the upcoming FortiClient EMS 7.4.7 release
The speed of this entire chain — from detection to emergency hotfix — is a model for how the security ecosystem should respond when a critical, actively exploited vulnerability is discovered. Every hour saved in that process is an hour that defenders have an advantage over attackers who are already running exploit code.
This Is Not the First FortiClient EMS Flaw Exploited in the Wild
CVE-2026-35616 didn’t emerge in isolation. It landed days after another critical FortiClient EMS vulnerability — CVE-2026-21643, carrying a CVSS score of 9.1 — was also confirmed as actively exploited. Two critical, actively exploited vulnerabilities in the same product within the same week is not a coincidence. It’s a signal that FortiClient EMS has become a priority target for threat actors, and defenders need to treat it accordingly.
CVE-2026-21643 Was Exploited Just Days Before
CVE-2026-21643 was reported and confirmed exploited in attacks just days before CVE-2026-35616 surfaced. While full technical details on CVE-2026-21643 align with a separate attack vector, both vulnerabilities share a CVSS score of 9.1 and the same confirmed status: actively exploited in the wild. Organizations that scrambled to patch CVE-2026-21643 found themselves immediately facing a second emergency response for the same product. That operational burden is itself a risk factor — patch fatigue can lead to delayed responses on the second wave.
What a Double Exploitation Pattern Signals for Defenders
When two critical vulnerabilities in the same product are exploited within days of each other, it typically indicates one of three things: threat actors are systematically auditing the product for weaknesses, a coordinated research effort (offensive or defensive) has surfaced multiple issues simultaneously, or the product’s attack surface is broad enough that independent actors are finding separate entry points at the same time. In any of these scenarios, the appropriate defender posture is the same — assume the product is under active, focused targeting and respond with urgency. Recent incidents, such as the Storm-2561 campaign, highlight the importance of maintaining vigilance.
The pattern also has implications for how organizations should scope their incident response. If attackers are focused on FortiClient EMS specifically, then compromise of the EMS server should be treated as a potential pivot point — not just a standalone infected machine. EMS has privileged relationships with every endpoint it manages, which means a compromised EMS instance could have downstream effects across the entire managed endpoint fleet.
Forensic review should therefore extend beyond the EMS server itself. Teams should examine endpoint configuration changes, new policy deployments, unexpected software installations, and any lateral movement originating from the EMS server’s IP address in the days surrounding the exploitation window. This is especially true for any organization that had EMS internet-exposed during the period between the emergence of CVE-2026-21643 and the patching of CVE-2026-35616.
From a strategic standpoint, this double exploitation pattern should also prompt a broader conversation about the EMS attack surface. Internet-exposing a management server that has privileged access to all managed endpoints is a significant architectural risk — one that the existence of two back-to-back critical CVEs makes impossible to ignore. The technical mitigation of patching is necessary but not sufficient; the architectural question of whether EMS should be reachable from the public internet at all deserves a direct answer. For example, recent cyberattacks highlight the importance of evaluating and securing such critical infrastructure.
If your security team hasn’t already moved FortiClient EMS behind a VPN or restricted its management interface to internal network ranges only, this double exploitation event is the clearest possible signal that the time to make that change is now — not after the third critical CVE in the series.
How to Patch CVE-2026-35616 Right Now
Fortinet has made the remediation path straightforward, but it requires immediate action. The following steps cover everything from version verification through hotfix installation and longer-term hardening. Do not wait for a maintenance window — given confirmed active exploitation, this qualifies as an emergency response situation.
- Verify your exact FortiClient EMS version before taking any other action
- Apply the appropriate emergency hotfix for version 7.4.5 or 7.4.6 immediately
- Plan the upgrade path to FortiClient EMS 7.4.7 when it becomes available for the permanent fix
- Review EMS logs for anomalous API activity that may indicate prior exploitation
- Restrict external access to the EMS management interface at the network level
If your environment is running FortiClient EMS 7.2.x, you are not affected by CVE-2026-35616 and no hotfix action is required for this specific vulnerability. However, given the active targeting of FortiClient EMS infrastructure broadly, reviewing your 7.2.x deployment’s network exposure is still a sound defensive step.
For environments running multiple EMS instances — including test, staging, or regional deployments — apply the hotfix across all instances, not just production. Attackers don’t limit their targeting to production systems, and an unpatched staging server with network access to production infrastructure is a viable entry point.
1. Confirm Which FortiClient EMS Version You Are Running
Log into the FortiClient EMS console and navigate to System > Dashboard to confirm the exact build version. If you manage multiple EMS deployments, verify each one individually — version discrepancies across environments are common and dangerous. Document the version across all instances before proceeding to hotfix application, and flag any instance running 7.4.5 or 7.4.6 for immediate remediation.
2. Apply the Emergency Hotfix for Version 7.4.5 or 7.4.6
Fortinet has published specific hotfix instructions within the official release notes for each affected version, accessible through the Fortinet documentation portal. The installation process differs slightly between 7.4.5 and 7.4.6, which is why Fortinet has provided version-specific guidance rather than a single unified patch file.
- FortiClient EMS 7.4.5: Follow the hotfix instructions in the 7.4.5 EMS release notes via the Fortinet documentation portal
- FortiClient EMS 7.4.6: Follow the hotfix instructions in the 7.4.6 EMS release notes via the Fortinet documentation portal
Do not attempt to apply the 7.4.6 hotfix to a 7.4.5 installation or vice versa. The version-specific guidance exists for a reason, and cross-version hotfix application can introduce instability or leave the vulnerability partially unaddressed. Access the Fortinet documentation portal directly using your support credentials and navigate to the correct release notes for your specific build.
After applying the hotfix, verify the installation was successful by checking the build version again in the EMS dashboard. Fortinet’s release notes will specify the exact build string that confirms successful hotfix application — confirm that string matches before closing out the remediation ticket.
3. Plan for the Permanent Fix in FortiClient EMS 7.4.7
The emergency hotfixes address the active exploitation risk right now, but the permanent resolution for CVE-2026-35616 is coming in FortiClient EMS 7.4.7. Once that release is available, organizations should prioritize upgrading from the hotfixed 7.4.5 or 7.4.6 builds to 7.4.7 through standard change management processes. The hotfix is not a substitute for the full version upgrade — it is a bridge to keep you protected until 7.4.7 is ready.
4. Review EMS Logs for Anomalous API Activity
Because exploitation was confirmed before the patch existed, patching alone is not enough — you need to determine whether your environment was already compromised during the exposure window. Pull logs from the FortiClient EMS server and filter specifically for API requests that originated from external IP addresses, triggered no authentication event, yet resulted in command execution or privilege changes. Unauthenticated API calls that don’t match any legitimate administrative session are your primary indicator of compromise.
Focus your log review on the period between the emergence of CVE-2026-21643 and today — that entire window should be treated as a potential exposure period. Look for unexpected configuration changes, new administrative accounts, modified endpoint policies, or any outbound connections from the EMS server to unfamiliar IP addresses. If you find evidence of unauthorized access, escalate immediately to full incident response rather than treating this as a routine patching exercise.
5. Restrict External Access to the EMS Management Interface
Even after the hotfix is applied, leaving the EMS management interface exposed to the public internet is an architectural risk that no patch fully eliminates. Immediately restrict access to the EMS interface using firewall rules that whitelist only known administrative IP ranges. Better still, place EMS behind a VPN so that management access requires a separate authenticated tunnel before the EMS interface is even reachable. The EMS server manages every endpoint in your environment — its attack surface should be as small as you can make it, regardless of patch status. For more insights on securing VPNs, explore how spoofed VPN sites can harvest corporate logins.
Patch Now — Every Hour of Delay Is a Window for Attackers
Attackers confirmed exploitation of CVE-2026-35616 before Fortinet even had a patch ready. That means every organization still running unpatched FortiClient EMS 7.4.5 or 7.4.6 is operating under active threat right now, not theoretical future risk. Apply the emergency hotfix immediately, review your logs for signs of prior compromise, and restrict network access to your EMS interface at the perimeter level. This is not a situation where waiting for a scheduled maintenance window is acceptable — the attackers already have a head start, and the only way to close that gap is to move faster than they are. For more insights, see how spoofed VPN sites are being used to harvest corporate logins.
Once the hotfix is in place, keep FortiClient EMS 7.4.7 on your upgrade roadmap as the priority item for permanent resolution. Two critical CVEs exploited in the same product within the same week is a clear signal that FortiClient EMS is under sustained, focused targeting — and your defensive posture needs to reflect that reality with both immediate action and longer-term architectural hardening. Recent events, such as the cyberattack on European Commission cloud systems, highlight the importance of robust cybersecurity measures.
Frequently Asked Questions
The following questions address the most critical details about CVE-2026-35616, who is affected, and what actions to take. If your team is triaging this right now, start with the version check and hotfix steps above before diving into the FAQ.
These answers are based on Fortinet’s official advisory (FG-IR-26-099) and confirmed threat intelligence from active exploitation monitoring. As the situation evolves and FortiClient EMS 7.4.7 becomes available, check the Fortinet documentation portal for updated guidance.
What is CVE-2026-35616 and why is it critical?
CVE-2026-35616 is a critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS), classified under CWE-284 (Improper Access Control) with a CVSS score of 9.1. It allows an unauthenticated remote attacker to send crafted API requests that bypass access controls entirely, execute unauthorized code or commands on the EMS server, and escalate privileges — all without any valid credentials. Fortinet has confirmed active in-the-wild exploitation, meaning real attackers are using this flaw against unpatched organizations right now.
Which versions of FortiClient EMS are vulnerable to this flaw?
Only FortiClient EMS 7.4.5 and 7.4.6 are affected by CVE-2026-35616. Emergency hotfixes are available for both versions through the Fortinet documentation portal, with version-specific installation instructions in the respective release notes. A permanent fix is scheduled for inclusion in FortiClient EMS 7.4.7, which is currently in development. For more information on recent cyber threats, you can read about Storm-2561 spoofed VPN sites that harvest corporate login credentials.
Is FortiClient EMS 7.2 affected by CVE-2026-35616?
- FortiClient EMS 7.2.x — Not affected. No action required for this specific CVE.
- FortiClient EMS 7.4.5 — Affected. Apply the emergency hotfix immediately via the 7.4.5 release notes.
- FortiClient EMS 7.4.6 — Affected. Apply the emergency hotfix immediately via the 7.4.6 release notes.
- FortiClient EMS 7.4.7 — Not yet released. Will include the permanent fix for CVE-2026-35616.
FortiClient EMS 7.2.x uses a different codebase structure at the API layer that does not contain the improper access control condition described in CWE-284 as it manifests in 7.4.5 and 7.4.6. This version-specific scoping is confirmed in Fortinet’s official advisory FG-IR-26-099 and is not subject to change unless Fortinet issues an updated advisory.
That said, if you are running 7.2.x, consider this double-exploitation event a prompt to review your EMS deployment’s network exposure anyway. A management server with privileged access to all managed endpoints should never be reachable from the public internet, regardless of which version is running or whether a specific CVE applies to your build.
Organizations running 7.2.x should also monitor Fortinet’s PSIRT advisories closely. Given the active targeting of FortiClient EMS infrastructure broadly, additional CVEs affecting other version branches cannot be ruled out as threat actor research into this product continues.
What should I do if I cannot patch immediately?
If applying the emergency hotfix right now is not operationally possible, implement the following compensating controls as an immediate bridge measure. First, restrict all inbound access to the FortiClient EMS management interface using firewall rules — allow only known administrative IP ranges and block everything else at the perimeter. Second, place the EMS server behind a VPN if it is currently internet-accessible. These steps do not fix the underlying vulnerability, but they dramatically reduce the likelihood of a remote unauthenticated attacker being able to reach the vulnerable API endpoints in the first place.
At the same time, begin your log review immediately regardless of patch status. If your EMS was internet-exposed before these compensating controls were in place, you need to determine whether exploitation already occurred. Treat this as a parallel workstream to hotfix preparation, not a sequential one. Document your compensating controls, set a hard deadline for hotfix application, and communicate the risk to leadership — this is a critical-severity, actively exploited vulnerability, and that escalation is warranted.
Is CVE-2026-35616 related to the recently exploited CVE-2026-21643?
CVE-2026-35616 and CVE-2026-21643 are separate vulnerabilities with distinct CVE identifiers, different attack vectors, and independent exploit chains. They are not the same flaw reported twice, and patching one does not remediate the other. Both carry a CVSS score of 9.1 and both have been confirmed as actively exploited in the wild, but they represent two independent security failures in FortiClient EMS that threat actors are exploiting separately.
What connects them is the product, the timeline, and the threat actor focus. Both vulnerabilities were exploited within days of each other, targeting the same FortiClient EMS infrastructure. That pattern strongly suggests that FortiClient EMS has become a high-priority target for active exploitation campaigns — whether through coordinated attacker research, multiple independent threat actors discovering issues simultaneously, or systematic fuzzing of the EMS attack surface.
Organizations should ensure both CVEs are addressed independently. Confirm that CVE-2026-21643 has been fully remediated in your environment and then apply the CVE-2026-35616 hotfix as described above. If your team has not yet addressed CVE-2026-21643, treat both as simultaneous emergencies and work through your Fortinet PSIRT advisories to confirm your remediation status for each one before considering the incident closed. Defused provides continuous threat intelligence monitoring that can help organizations detect and respond to active exploitation attempts like these before they result in confirmed breaches.
