Published on April 4, 2026
FortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616)
Severity
critical
A critical zero-day vulnerability has been identified in Fortinet FortiClient Endpoint Management Server (EMS), allowing unauthenticated attackers to execute arbitrary commands on affected systems. The flaw, tracked as CVE-2026-35616, is actively exploited in the wild and poses a significant risk to enterprise environments relying on Fortinet endpoint management solutions.
The vulnerability originates from improper authentication handling within exposed API endpoints. By sending specially crafted requests, threat actors can bypass authentication controls and gain unauthorized access to the EMS server. Once access is obtained, attackers can execute system-level commands, manipulate endpoint configurations, and potentially deploy additional payloads across managed devices.
Successful exploitation may lead to full system compromise, unauthorized lateral movement within the network, and potential deployment of malware or ransomware across endpoints managed by the EMS platform. Given that EMS servers typically have centralized control over multiple endpoints, the impact of compromise is significantly amplified.
Fortinet has released emergency patches addressing the vulnerability by strengthening authentication validation and restricting unauthorized API access. Organizations are strongly advised to apply the fixes immediately to mitigate the risk of active exploitation.
| CVE ID | Summary | Impact | CVSS Score |
| CVE-2026-35616 | Authentication bypass in FortiClient EMS API allows unauthenticated remote command execution | Full system compromise, remote code execution, lateral movement | 9.8 (critical) |
Affected Products
The vulnerability impacts Fortinet FortiClient EMS deployments, particularly:
- FortiClient EMS (on-premise deployments)
- Unpatched EMS versions exposed to the internet
Recommendation
To reduce the risk of exploitation, organizations should immediately apply the latest security patches provided by Fortinet and restrict access to EMS management interfaces from external networks. EMS servers should not be directly exposed to the internet and must be placed behind secure access controls such as VPN or internal segmentation.
Administrators are advised to review API access logs for suspicious or unauthorized requests, monitor for abnormal command execution on EMS servers, and validate endpoint activity for signs of compromise. Implementing network segmentation and least privilege access policies can further reduce the risk of lateral movement in the event of a breach.
Continuous monitoring and threat hunting should be conducted to identify any indicators of compromise associated with this vulnerability, especially in environments where EMS servers were previously exposed or unpatched.