Full Report
A Vulnerability has been discovered in Fortinet FortiClientEMS that could allow for arbitrary code execution. FortiClientEMS is a centralized management platform for deploying, configuring, monitoring, and enforcing security policies across numerous endpoints (computers) running the FortiClient agent.Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Fortinet FortiClientEMS Improper Access Control
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** Not explicitly listed in text (Assumed High/Critical based on RCE impact)
- **CWE:** Improper Access Control
## Affected Systems
- **Products:** Fortinet FortiClientEMS (Enterprise Management Server)
- **Versions:** 7.4.5 through 7.4.6
- **Configurations:** Systems with public-facing management interfaces or those reachable via network requests by unauthenticated actors.
## Vulnerability Description
An improper access control vulnerability exists in FortiClientEMS. The flaw allows unauthenticated attackers to send crafted network requests to the server, which can trigger the execution of unauthorized code or system commands. Technical specifics indicate this targets the service account under which the FortiClientEMS software operates.
## Exploitation
- **Status:** **Exploited in the wild.** Fortinet has observed active exploitation of this flaw.
- **Complexity:** Low (Targeted via crafted network requests)
- **Attack Vector:** Network (Remote, unauthenticated)
## Impact
- **Confidentiality:** High (Attacker can view or delete sensitive data)
- **Integrity:** High (Attacker can modify data, install programs, or create admin accounts)
- **Availability:** High (Attacker can delete data or disrupt management services)
*Note: The impact is dictated by the privileges of the service account; administrative service accounts provide the attacker with full user rights.*
## Remediation
### Patches
- **Immediate Action:** Apply available vendor-provided hotfixes for versions 7.4.5 and 7.4.6.
- **Permanent Fix:** Upgrade to FortiClientEMS version **7.4.7 or above** when available.
### Workarounds
- **Network Segmentation:** Isolate the FortiClientEMS server from the internet. Ensure it is not exposed to the public-facing internet unless strictly necessary.
- **Least Privilege:** Configure the FortiClientEMS service account with the minimum permissions required to function, reducing the potential impact of code execution.
- **Access Control:** Restrict access to the EMS management interface to trusted internal IP ranges or via VPN.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized creation of new user accounts or unexpected program installations on the EMS host.
- **Detection methods:**
- Perform automated vulnerability scans of externally exposed assets.
- Conduct application penetration testing to identify unauthenticated access points.
- Monitor network traffic for unusual requests directed at the FortiClientEMS management ports.
## References
- **Vendor Advisories:** hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-099
- **Relevant links:**
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-35616
- hxxps[://]www[.]cisecurity[.]org/advisory/a-vulnerability-in-fortinet-forticlientems-could-allow-for-arbitrary-code-execution_2026-031