HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical RCE in FortiClient EMS (CVE‑2026‑35616) Enables Malware Deployment

Fortinet’s FortiClient EMS suffered a critical unauthenticated remote code execution flaw (CVE‑2026‑35616) that is being leveraged in the wild to deliver credential‑stealing malware. The vulnerability affects EMS 7.4.5/7.4.6 and poses a high‑risk supply‑chain threat for organizations that rely on FortiClient for endpoint management.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Critical RCE in FortiClient EMS (CVE‑2026‑35616) Enables Malware Deployment

What It Is — Fortinet’s FortiClient Endpoint Management Server (EMS) contained an improper access‑control flaw (CVE‑2026‑35616) that allows unauthenticated remote code execution. The vulnerability was patched in April 2026 after Fortinet confirmed active exploitation.

Exploitability — Exploited in the wild by threat actors who send crafted HTTP requests to EMS APIs; a proof‑of‑concept exists and the CVSS base score is 9.1 (Critical).

Affected Products — FortiClient EMS 7.4.5 and 7.4.6 (and any earlier versions lacking the April hot‑fix).

TPRM Impact — Any third‑party that relies on FortiClient EMS to manage endpoints becomes a conduit for credential‑stealing malware, expanding the attack surface across supply‑chain relationships.

Recommended Actions

  • Verify EMS version across all managed sites; immediately apply the out‑of‑band hot‑fix for 7.4.5/7.4.6 or upgrade to 7.4.7.
  • Conduct a rapid inventory of all endpoints under EMS control and isolate any that have not been patched.
  • Review EMS API logs for anomalous unauthenticated requests and for PowerShell command execution traces.
  • Re‑issue internal patch‑distribution policies to prevent “fake” Fortinet updates from being trusted.
  • Engage with your MSPs/MSSPs to confirm they have applied the fix and are monitoring for post‑exploitation activity.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192817/malware/cve-2026-35616-forticlient-ems-flaw-actively-exploited-in-malware-attacks.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →