Critical RCE in FortiClient EMS (CVE‑2026‑35616) Enables Malware Deployment
What It Is — Fortinet’s FortiClient Endpoint Management Server (EMS) contained an improper access‑control flaw (CVE‑2026‑35616) that allows unauthenticated remote code execution. The vulnerability was patched in April 2026 after Fortinet confirmed active exploitation.
Exploitability — Exploited in the wild by threat actors who send crafted HTTP requests to EMS APIs; a proof‑of‑concept exists and the CVSS base score is 9.1 (Critical).
Affected Products — FortiClient EMS 7.4.5 and 7.4.6 (and any earlier versions lacking the April hot‑fix).
TPRM Impact — Any third‑party that relies on FortiClient EMS to manage endpoints becomes a conduit for credential‑stealing malware, expanding the attack surface across supply‑chain relationships.
Recommended Actions –
- Verify EMS version across all managed sites; immediately apply the out‑of‑band hot‑fix for 7.4.5/7.4.6 or upgrade to 7.4.7.
- Conduct a rapid inventory of all endpoints under EMS control and isolate any that have not been patched.
- Review EMS API logs for anomalous unauthenticated requests and for PowerShell command execution traces.
- Re‑issue internal patch‑distribution policies to prevent “fake” Fortinet updates from being trusted.
- Engage with your MSPs/MSSPs to confirm they have applied the fix and are monitoring for post‑exploitation activity.
Source: Security Affairs