Fortinet CVE-2026-35616: CVSS 9.1 Auth Bypass in FortiClient EMS Under Active Exploitation — No Full Patch Yet
A CVSS 9.1 unauthenticated API bypass in FortiClient EMS 7.4.5–7.4.6 was exploited in the wild five days before Fortinet's advisory. A public PoC exists, CISA added it to KEV, and no complete fix has shipped.
CVE-2026-35616 is a CVSS 9.1 improper access control flaw in Fortinet’s FortiClient EMS — the enterprise endpoint management platform deployed across thousands of corporate networks. An unauthenticated attacker can bypass the EMS API entirely and achieve remote code execution. No credentials required.
Affected versions: FortiClient EMS 7.4.5 and 7.4.6.
Unaffected: Version 7.2.x.
Fix status: An emergency hotfix exists for 7.4.5 and 7.4.6. As of late April 2026, the full patch release (v7.4.7) has not shipped. Apply the hotfix immediately — do not wait for the complete version.
Patch command: Log in to the Fortinet Support Portal, navigate to FortiClient EMS downloads, and select the emergency hotfix for your installed version.
The timeline is damaging for Fortinet’s disclosure process. watchTowr’s honeypots detected in-the-wild exploitation on March 31 — five days before Fortinet published its advisory on April 4. A public proof-of-concept appeared on GitHub by April 6. CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog the same day, mandating patch-or-mitigate for all federal civilian executive branch agencies by April 9.
Private sector organizations face no federal deadline. Enterprise patch cycles typically run 30–60 days behind advisories, and with a public PoC available since April 6, the exploitation window for unpatched deployments is wide open.
FortiClient EMS is the management plane for endpoint security across corporate device fleets. Compromise it and you gain visibility into every managed endpoint, the ability to push configuration changes remotely, and in many environments a direct pivot point into the broader corporate network. Threat actors understand this — EMS compromise is not about one device, it’s about every device under management.
Remediation checklist:
- Check your version:
fctems --version— if 7.4.5 or 7.4.6, you are vulnerable - Apply the emergency hotfix from the Fortinet Support Portal immediately
- Review EMS API access logs from March 31 onward for anomalous unauthenticated requests
- Restrict EMS API access to management VLANs; never expose the interface to the public internet
- Consider downgrading to 7.2.x if your environment supports it — that branch is unaffected
The broader pattern is the real problem. Exploitation beginning five days before vendor disclosure is no longer unusual. watchTowr’s detection of CVE-2026-35616 before the advisory is one data point in a growing trend: threat actors are finding and weaponizing network management vulnerabilities faster than vendors are patching them, and security teams relying solely on patch cadence are systematically behind.
Monitoring at the network level — not just the patch management console — is the only way to catch the exploitation window between discovery and full remediation.