On March 31, 2026, watchTowr’s Attacker Eye sensors identified exploitation of a critical zero-day vulnerability in FortiClient EMS, ahead of Fortinet publishing its advisory on April 4, 2026. The vulnerability has been assigned CVE-2026-35616 and carries a CVSS score of 9.1.
The vulnerability allows unauthenticated remote code execution with credentials required and, at the time of writing, affected the latest versions of FortiClient EMS (without a hotfix).
Following disclosure, Fortinet has released a hotfix that can be applied while waiting for a full software patch (expected in the upcoming FortiClient EMS 7.4.7 release).
CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, 2026.
What’s Affected
FortiClient EMS is an enterprise endpoint management solution. Organizations use it to centrally manage FortiClient deployments across their endpoint fleet, enforcing security policies, VPN configurations, application firewall rules, and endpoint compliance posture at scale.
FortiClient EMS 7.2 and below are not affected.
| Affected Versions | Status |
|---|---|
| 7.4.5 | Vulnerable |
| 7.4.6 | Vulnerable |
Why This Matters
CVE-2026-35616 was exploited in the wild before Fortinet published its advisory. This is not a theoretical risk or future concern. Attackers were already inside affected environments when the disclosure went public.
FortiClient EMS occupies a central position in enterprise endpoint security. It enforces device policy, manages VPN access, and governs application and compliance controls across corporate endpoints. A compromised EMS server gives an attacker the ability to manipulate endpoint configurations, push malicious policies, and potentially move laterally into the broader environment.
The vulnerability is an improper access control flaw in the FortiClient EMS API. An attacker can send crafted requests to bypass authentication and authorization protections entirely, achieving code execution on the underlying server without valid credentials or user interaction.
This is also the second unauthenticated remote code execution vulnerability in FortiClient EMS disclosed within weeks. CVE-2026-21643, a separate critical flaw in the same product, was actively exploited shortly before this advisory was published. The two vulnerabilities have not been confirmed as linked, and attribution to a specific threat actor has not been established.
The Vendor Response
Fortinet has released an advisory and an out-of-band hotfix for FortiClient EMS 7.4.5 and 7.4.6 that addresses the vulnerability without requiring system downtime.
A permanent fix will be included in the upcoming FortiClient EMS 7.4.7 release. However, until 7.4.7 is available, the hotfix is the only remediation path.
| Affected Version | Required Action |
|---|---|
| 7.4.5 | Apply hotfix per Fortinet release notes |
| 7.4.6 | Apply hotfix per Fortinet release notes |
| 7.4.7 (upcoming) | Full patch included on release |
Fortinet has not published indicators of compromise. Detection currently relies on log review and configuration auditing rather than definitive IOC matching.
What You Should Do
Confirm whether FortiClient EMS is deployed in the environment and identify the installed version. Internet-facing instances running affected versions should be treated as the highest priority. Affected versions are:
- 7.4.5
- 7.4.6
Apply the hotfix immediately. Fortinet has published hotfix instructions for both affected branches in the respective EMS release notes. Do not defer this action pending the 7.4.7 release.
In the absence of published IOCs, review available logs for anomalous API requests and unexpected activity on the EMS server. Audit the following for unauthorized changes:
- Endpoint security policies
- VPN configuration profiles
- Application firewall rules
- Administrator accounts and access controls
- Endpoint compliance configurations
If compromise is suspected, do not attempt to clean the affected instance in place. Restore from a known-good backup taken before the likely compromise window, or rebuild the EMS instance and migrate the data to it. Where integrity cannot be confidently verified, a full rebuild is the most defensible approach.
Affected organizations should plan to adopt FortiClient EMS 7.4.7 as soon as it becomes available, which will include a permanent security patch.
How watchTowr Responded
Fortinet confirmed exploitation was already underway at the time of disclosure.
This is the moment when most security teams scramble. watchTowr clients were already ahead, ahead of Fortinet’s disclosure:
| Timeline | watchTowr Response |
|---|---|
| Before disclosure | Attacker Eye sensors capture active exploitation attempts against FortiClient EMS instances, providing early visibility into attacker behavior ahead of the official advisory. |
| Following exploitation | Rapid Reaction identifies exposure across the watchTowr client base. |
| Following exploitation | Active Defense capabilities released to clients, enabling network-level mitigation while affected organizations work toward hotfix deployment. |
This is Preemptive Exposure Management in practice.
The watchTowr Platform delivers Preemptive Exposure Management to global enterprises, every single day. By combining Proactive Threat Intelligence with External Attack Surface Management, watchTowr continuously identifies and validates real exposure – so security teams can outrun real-world threats.
Learn how the watchTowr Platform helps organizations outpace attackers and gain time to respond.
