Arbitrary Code Execution Vulnerability (CVE‑2026‑35616) Discovered in Fortinet FortiClientEMS Affects Enterprise Endpoint Management
What Happened — Fortinet FortiClientEMS versions 7.4.5‑7.4.6 contain an improper access‑control flaw (CVE‑2026‑35616) that allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability is being exploited in the wild, giving attackers the ability to run code in the context of the service account that runs the EMS service.
Why It Matters for TPRM —
- A compromised EMS platform can be used to push malicious policies or binaries to any managed endpoint, amplifying risk across a vendor’s entire customer base.
- Privilege escalation on service accounts may enable attackers to create new admin users, exfiltrate data, or disrupt critical business operations.
- The flaw affects a core security control that many organizations rely on for third‑party endpoint protection, making it a high‑impact supply‑chain risk.
Who Is Affected — Technology/SaaS vendors, financial services, government agencies, healthcare providers, retail and any organization that deploys FortiClientEMS for endpoint management.
Recommended Actions —
- Deploy Fortinet’s hotfix immediately and upgrade to version 7.4.7 or later after testing.
- Review and harden privileges of the EMS service account; enforce least‑privilege principles.
- Verify that a formal vulnerability‑management process is in place and that remediation timelines meet your TPRM policy.
Technical Notes —
- Attack Vector: Exploitation of a public‑facing application via crafted network traffic (T1190).
- CVE: CVE‑2026‑35616.
- Potential Impact: Arbitrary code execution, privilege escalation, data manipulation, creation of new admin accounts.
- Affected Versions: FortiClientEMS 7.4.5‑7.4.6.
Source: CIS Advisory 2026‑031