FortiClient EMS Zero‑Day (CVE‑2026‑35616) Enables Unauthenticated Code Execution – Active Exploits Observed
What It Is – Fortinet’s FortiClient Endpoint Management Server (EMS) versions 7.4.5 and 7.4.6 contain an improper access‑control flaw (CVE‑2026‑35616) that bypasses API authentication, allowing unauthenticated attackers to run arbitrary commands.
Exploitability – The vulnerability is being exploited in the wild; Fortinet confirmed active attacks and released emergency hot‑fixes. CVSS v3.1 is rated 9.8 Critical (remote, unauthenticated, no user interaction).
Affected Products – FortiClient EMS 7.4.5, 7.4.6 (branch 7.2 is not affected; impact on 8.0 is unknown).
TPRM Impact – Organizations that rely on FortiClient EMS for endpoint protection face a supply‑chain risk: a compromised EMS can be used to pivot into the broader network, exfiltrate data, or disrupt critical services.
Recommended Actions –
- Deploy Fortinet’s emergency hot‑fix for EMS 7.4.5/7.4.6 immediately.
- Verify the patch is applied across all managed endpoints and confirm version compliance.
- Review API logs for anomalous requests and block any unauthorized IPs.
- Accelerate migration to FortiClient EMS 7.4.7 (or later) where the issue is fully resolved.
- Re‑assess third‑party risk contracts with Fortinet, adding clauses for rapid vulnerability disclosure and remediation.