Critical Threat Research : The Iranian Cyber War Intensifies! 
Comprehensive Threat Exposure Management Platform
Fortinet has issued emergency patches for a critical vulnerability in FortiClient EMS after confirming active exploitation in the wild. The vulnerability, tracked as CVE-2026-35616, poses a severe risk to organizations that rely on Fortinet FortiClient EMS for centralized endpoint management across their enterprise environments. Because the vulnerability is pre-authentication, an unauthenticated attacker with network access to the FortiClient EMS server can bypass API authentication and authorization controls without requiring valid credentials. This could result in full privilege escalation, enabling the attacker to execute arbitrary code or system commands on the affected server.
Given that FortiClient EMS serves as a centralized management platform for deploying security policies, software patches, and security configurations to endpoint agents across an entire enterprise network, compromise of this critical system could provide an attacker with broad lateral access to thousands of managed endpoints, facilitate deployment of malicious configurations to endpoint security software, or enable persistent access to the target environment through manipulation of endpoint management policies.
The vulnerability affects FortiClient EMS versions 7.4.5 through 7.4.6, while earlier versions such as the 7.2 branch remain unaffected by this specific flaw. Active exploitation was first detected on March 31, 2026, with Fortinet confirming the malicious activity and releasing emergency patches on April 4, 2026. The timing of initial exploitation, aligned with the Easter weekend when security teams were likely operating with reduced staffing, indicates attackers strategically chose a period when organizations were less active to increase their chances of successful compromise before detection. This represents the second critical unauthenticated vulnerability in FortiClient EMS within a matter of weeks, following CVE-2026-21643 involving SQL injection via the Site header, which was also actively exploited as a zero-day vulnerability.
Fortinet issued emergency security patches for a critical vulnerability in FortiClient EMS after confirming the flaw is being actively exploited by threat actors in the wild. The vulnerability, tracked as CVE-2026-35616, affects the system’s API, which manages critical communication between the centralized EMS server and distributed endpoint devices across the enterprise network. Due to fundamentally weak access controls in the API implementation, attackers can send specially crafted HTTP requests that bypass authentication entirely, gaining unauthorized access without any credentials.
The vulnerability stems from an improper access control weakness (CWE-284) where the API fails to properly verify the identity of the requester and fails to validate what permissions they should have before processing sensitive requests. Because no login credentials or authentication tokens are required to interact with vulnerable API endpoints, remote unauthenticated attackers can directly interact with the FortiClient EMS system, escalate privileges to administrative levels, and execute unauthorized commands on the server. This pre-authentication nature significantly lowers the technical skill and effort needed to carry out successful attacks, making the vulnerability particularly dangerous.
The critical flaw impacts FortiClient EMS versions 7.4.5 and 7.4.6, while earlier versions such as the 7.2 branch remain unaffected by this specific vulnerability. Active exploitation was first detected by security researchers on March 31, 2026, with Fortinet officially confirming the malicious activity and releasing emergency patches on April 4, 2026. The timing of the initial exploitation, precisely aligned with the Easter weekend when security operations centers typically operate with reduced staffing and slower response times, strongly indicates that sophisticated threat actors deliberately chose this period to maximize their exploitation window before detection and patching could occur.
This CVE-2026-35616 vulnerability is notably the second critical unauthenticated flaw discovered in FortiClient EMS within a matter of weeks, following the recent disclosure of CVE-2026-21643, which involved SQL injection via the Site HTTP header and was also actively exploited as a zero-day vulnerability. The rapid succession of two critical pre-authentication vulnerabilities in the same product suggests either a systemic weakness in the security architecture of FortiClient EMS or increased attacker focus on this high-value target that provides centralized control over enterprise endpoint security.
Successful exploitation of CVE-2026-35616 enables threat actors to completely compromise the FortiClient EMS server, which serves as the centralized management console for endpoint security across entire organizations. From this privileged position, attackers could deploy malicious security policies to disable endpoint protection, push malware-laden software updates to all managed endpoints simultaneously, exfiltrate sensitive configuration data and credentials stored in the EMS database, establish persistent backdoor access through manipulation of endpoint management policies, or pivot laterally to thousands of managed workstations and servers across the enterprise network.
The pre-authentication nature of the vulnerability means that organizations with internet-exposed FortiClient EMS servers face immediate risk from remote attackers without any social engineering or credential theft required. Even organizations with FortiClient EMS deployed on internal networks remain vulnerable to attackers who have already gained initial network access through other vectors, as the vulnerability provides an easy path to privilege escalation and enterprise-wide endpoint compromise.
Apply the official security fixes for affected FortiClient EMS versions 7.4.5 through 7.4.6 without delay. Systems left unpatched remain directly exposed to unauthenticated exploitation by remote attackers. Organizations should prioritize this patching activity as an emergency maintenance window due to confirmed active exploitation and the critical nature of the FortiClient EMS platform in enterprise security architecture.
Limit network access to the FortiClient EMS API by enforcing strict network-level controls using firewall rules and network segmentation. Allow only trusted IP address ranges and internal systems to communicate with the EMS server API endpoints. Organizations must avoid exposing the FortiClient EMS API to the public internet under any circumstances, as this creates a direct attack surface for unauthenticated remote exploitation.
As an immediate mitigation measure for organizations unable to patch instantly, ensure that the FortiClient EMS management interface and API endpoints are not directly exposed to the internet. Access should be restricted exclusively to trusted internal networks or VPN-connected network segments using firewall rules and access control lists. This network segmentation reduces the attack surface available to unauthenticated remote attackers while organizations complete emergency patching procedures.
Enforce strict authentication and authorization checks across all API endpoints in future deployments and configurations. Validate every request, even those assumed to be from internal sources, and eliminate any implicit trust assumptions within the network architecture. Organizations should implement defense-in-depth principles where API security does not rely solely on network perimeter controls.
Given the confirmed zero-day exploitation window beginning March 31, 2026 and extending until patch availability on April 4, 2026, security teams should immediately review FortiClient EMS server logs, web server access logs, and network traffic records for anomalous API requests, unauthorized configuration changes, or unexpected command execution during this timeframe. Any indicators of compromise should trigger a full incident response investigation, including comprehensive examination of all managed endpoints for signs of lateral movement, persistence mechanisms, malware deployment, or unauthorized policy modifications pushed through the compromised EMS server.
The CVE-2026-35616 exploitation employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including initial access through exploiting public-facing applications, privilege escalation through exploitation for privilege escalation, execution through command and scripting interpreters, persistence through server software component manipulation, and lateral movement through software deployment tools by abusing the centralized endpoint management capabilities of the compromised FortiClient EMS platform.
The threat advisory references official Fortinet security advisories FG-IR-26-099 for CVE-2026-35616 and FG-IR-25-1142 for CVE-2026-21643, alongside FortiClient EMS 7.4.6 release notes documenting the security fixes. These references provide official patch download locations, additional technical details, and vendor-confirmed exploitation status for security teams implementing remediation measures.
Get through updates and upcoming events, and more directly in your inbox