~/home/news/critical-forticlient-ems-zero-day-2026-04-10
newsFriday, April 10, 20268 min read👁 28 views

Critical FortiClient EMS Zero-Day (CVE-2026-35616) Actively Exploited - CISA Directive

CISA added CVE-2026-35616, a pre-auth API bypass in FortiClient Enterprise Management Server, to its KEV catalog and issued a Binding Operational Directive. The flaw (CVSS 9.1) enables unauthenticated remote code execution and has been observed in the wild since March 31 2026.

FortinetCVE-2026-35616CISAZero-Day

Overview/Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially flagged a critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS). Identified as CVE-2026-35616, the flaw grants unauthenticated remote code execution (RCE) via a pre-authentication API access bypass. Because the vulnerability is being actively exploited, CISA placed it in the Known Exploited Vulnerabilities (KEV) catalog on April 6 2026 and issued a Binding Operational Directive (BOD 22-) that compels all federal agencies to apply the vendor-supplied hotfix by April 9 2026.

FortiClient EMS is the central component that manages endpoint security policies, telemetry, and software updates for FortiClient agents across an organization. The rapid emergence of an exploit in this critical management plane raises alarm bells for any enterprise that exposes the EMS console to the Internet or runs it in a DMZ for telemetry collection.

Technical Details

CVE Identifier: CVE-2026-35616
Severity: Critical (CVSS 9.1)
Vulnerable Versions: FortiClient EMS 7.4.5 and 7.4.6 (the 7.2 branch is not affected).
Vulnerability Type: CWE-284 - Improper Access Control (pre-authentication API access bypass).

The flaw resides in the EMS telemetry endpoint, which is designed to accept HTTP requests from enrolled FortiClient agents. An attacker can craft a specially-formatted HTTP request that bypasses the authentication and authorization checks that normally protect the RESTful API. Once past these checks, the malicious payload is executed with the privileges of the EMS service process, typically running as root or an equivalent high-privilege system account on the server.

Key technical characteristics:

  • Pre-authentication bypass: No valid credentials, token, or client certificate are required.
  • Remote code execution primitive: The attacker can supply arbitrary command strings that are interpreted by the EMS backend, leading to full system compromise.
  • Stateless HTTP exploit: The attack works over a single request/response cycle, making detection via traditional brute-force or credential-stuffing monitoring ineffective.
  • Impact scope: Any EMS instance reachable from the Internet (or from an internal network segment that can reach the telemetry endpoint) is vulnerable.

Fortinet’s emergency advisory (FG-IR-26-099) confirms that the vulnerability can be exploited via HTTP POST requests to /api/v1/telemetry with a malformed JSON body that injects OS-level commands. The exact command injection vector varies by platform but typically leverages the underlying OS shell.

Impact Analysis

The immediate impact of successful exploitation includes:

  • Full server compromise: Attackers gain code execution with system-level privileges, allowing them to install backdoors, exfiltrate data, or pivot to other network assets.
  • Endpoint takeover: Because EMS pushes policies and updates to managed FortiClient agents, a compromised EMS can issue malicious configurations or binaries to every enrolled endpoint.
  • Lateral movement: The compromised server often resides in a privileged network zone, providing a foothold for further compromise of authentication servers, AD, or other critical infrastructure.
  • Data breach risk: Telemetry logs, configuration files, and credential stores within EMS may be harvested, exposing sensitive corporate or government data.

Given the CVSS score of 9.1, the vulnerability is rated as critical. The fact that it is being exploited in the wild dramatically raises the risk profile for any organization that runs FortiClient EMS, especially those with internet-exposed management consoles.

Timeline of Events

  • March 31 2026: WatchTowr’s honeypot network records the first exploitation attempts targeting the EMS telemetry endpoint.
  • Early April 2026: Defused Cyber researcher Simo Kohonen and Nguyen Duc Anh discover the flaw and responsibly disclose it to Fortinet.
  • April 3 2026: Fortinet releases an emergency advisory (FG-IR-26-099) confirming in-the-wild exploitation and urging customers to apply the hotfix for versions 7.4.5 and 7.4.6.
  • April 6 2026: CISA adds CVE-2026-35616 to its KEV catalog and issues a Binding Operational Directive (BOD 22-) mandating remediation by April 9 for all federal agencies.
  • April 9 2026: Deadline for federal agencies to apply the Fortinet hotfix; many private-sector organizations follow suit after the directive becomes public.

Mitigation/Recommendations

Organizations should treat this vulnerability as an emergency. The following steps are recommended:

  1. Apply the vendor hotfix immediately: Upgrade FortiClient EMS to the patched release (7.4.5 + hotfix or 7.4.6 + hotfix). Fortinet provides separate patches for each affected branch.
  2. Restrict network exposure: If the telemetry endpoint does not require direct Internet access, place EMS behind a firewall and allow inbound traffic only from trusted FortiClient agents (source-IP whitelisting, VPN, or zero-trust network access).
  3. Enable multi-factor authentication (MFA) for console access: While the vulnerability bypasses API auth, MFA adds a layer of defense for any subsequent manual access attempts.
  4. Monitor for Indicators of Compromise (IOCs):
    • Unusual HTTP POST requests to /api/v1/telemetry with non-JSON payloads.
    • New processes running as root owned by the EMS service binary.
    • Outbound connections from EMS to unknown C2 domains.
  5. Conduct a forensic review: For any EMS instance that may have been exposed before patching, perform a full forensic analysis of logs, file integrity, and network traffic to detect potential compromise.
  6. Patch management hygiene: Review patch cycles for all management infrastructure to ensure future zero-days are addressed within the vendor-recommended timeframe.

Real-World Impact

The exploitation of CVE-2026-35616 can quickly transition from a single compromised server to a full-scale enterprise breach. In a typical deployment, a single EMS instance may manage thousands of endpoints across multiple geographic sites. A malicious actor who gains control of the EMS can:

  • Push a malicious version of FortiClient that includes a backdoor or ransomware payload.
  • Alter security policies to whitelist attacker IPs or disable critical detection modules.
  • Harvest telemetry data that includes hostnames, OS versions, and potentially credential hashes.

Federal agencies that rely on FortiClient EMS for endpoint compliance are especially vulnerable because a breach could undermine national security operations, supply-chain integrity, and classified data protection. The CISA BOD underscores the urgency: failure to remediate by the April 9 deadline could result in loss of funding or compliance penalties.

Expert Opinion

From a strategic perspective, the rapid emergence of a pre-authentication RCE in a widely deployed management platform signals a shift in attacker tactics. Rather than focusing on endpoint exploits alone, threat actors are targeting the “control plane” - the services that orchestrate security policies across the enterprise. This approach offers a high-return, low-effort payoff: compromise one EMS server and you potentially control every connected endpoint.

The fact that Fortinet’s 7.2 branch remains unaffected suggests that the vulnerable code path was introduced in the 7.4 series, possibly as part of new telemetry features. Organizations that have delayed upgrading to newer branches may inadvertently avoid this zero-day, but they also miss out on other security improvements. The lesson is clear: newer does not always mean safer unless rigorous secure-development practices are in place.

For the broader industry, this incident reinforces the importance of:

  • Zero-trust network segmentation: Even management servers should be segmented and accessed only via authenticated, encrypted channels.
  • Continuous vulnerability scanning of internal services: Many organizations only scan public-facing assets; internal APIs like EMS telemetry often slip through.
  • Rapid incident-response playbooks for management-plane compromise: Traditional endpoint-focused playbooks need to be expanded to include “management server breach” scenarios.

In short, CVE-2026-35616 is a wake-up call. Enterprises must treat their security orchestration platforms as high-value targets and apply the same rigor to their protection as they would to any critical database or authentication server.