Full Report
CISA added the flaw to KEV after Fortinet confirmed exploitation in the wild Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31.…
Analysis Summary
# Vulnerability: FortiClient EMS Improper Access Control RCE
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.1 (Critical)
- **CWE:** Improper Access Control (Specific CWE not provided, but described as such by vendor)
## Affected Systems
- **Products:** FortiClient Enterprise Management Server (EMS)
- **Versions:** Affected versions include FortiClient EMS 7.4.x (specifically prior to 7.4.5 and 7.4.6)
- **Configurations:** Systems with internet-facing management interfaces.
## Vulnerability Description
CVE-2026-35616 is an improper access control vulnerability. It allows an unauthenticated, remote attacker to execute unauthorized code or system commands on the server by sending specially crafted requests to the FortiClient EMS interface.
## Exploitation
- **Status:** Exploited in the wild (Confirmed 0-day). Added to CISA KEV catalog.
- **Complexity:** Not explicitly stated, but characterized as "low and slow" initially, transitioning to opportunistic/indiscriminate.
- **Attack Vector:** Network (Remote/Unauthenticated)
## Impact
- **Confidentiality:** High (Unauthorized code execution allows full system access)
- **Integrity:** High (Unauthorized command execution)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Fortinet has released emergency hotfixes and updated versions:
- **FortiClient EMS 7.4.5**
- **FortiClient EMS 7.4.6**
### Workarounds
The article does not list specific configuration workarounds; however, typical mitigation for EMS flaws involves restricting access to the management interface to trusted IP addresses or via a VPN.
## Detection
- **Indicators of Compromise:** Initial exploitation attempts were detected as early as March 31, 2026. Security teams should look for unusual command execution originating from the FortiClient EMS service.
- **Detection methods and tools:**
- Monitor honeypot infrastructure for crafted requests targeting EMS ports.
- Federal agencies are mandated by CISA to patch or remediate by the specified deadline (Thursday following the advisory).
- Review FortiGuard PSIRT advisory FG-IR-26-099 for specific log signatures.
## References
- **Vendor Advisory:** hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-099
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Secondary Related Flaw:** hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-25-1142 (CVE-2026-21643)