TP-2026-0030 critical Under Review C

FortiClient EMS Zero-Day Exploitation (CVE-2026-35616)

Date April 4, 2026
Attack Type zero-day-exploitation Sector Multi-Sector / Enterprise IT
Geography Global
Threat Actor Unknown
Attribution A4
CVEs CVE-2026-35616
Confidence C

Summary

CVE-2026-35616 is an actively exploited improper access control vulnerability in Fortinet FortiClient EMS 7.4.5 through 7.4.6. Fortinet’s advisory says the flaw may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests, making exposed EMS servers a high-priority patch target.

watchTowr said it observed exploitation on March 31, 2026, before Fortinet published its advisory on April 4. Government follow-up alerts from the Canadian Centre for Cyber Security and entries in the U.S. government vulnerability catalog reinforced that the flaw was under active exploitation and required rapid remediation.

Technical Analysis

Fortinet describes CVE-2026-35616 as an improper access control issue in FortiClient EMS. The affected surface is the management server, and the core risk is that crafted requests can bypass intended controls and trigger unauthorized code or command execution without prior authentication.

Affected versions include 7.4.5 and 7.4.6. Fortinet has provided hotfix guidance and a fixed release path. There is currently no confirmed evidence of downstream endpoint compromise or specific actor tradecraft beyond the initial exploitation of the EMS surface.

Attack Chain

Stage 1: Exposure of Vulnerable EMS Instances

Organizations running FortiClient EMS 7.4.5 or 7.4.6 exposed a management surface vulnerable to crafted unauthenticated requests.

Stage 2: Exploitation Observed in the Wild

watchTowr reported seeing exploitation activity against the vulnerable EMS surface on March 31, 2026, before the vendor advisory was publicly released.

Stage 3: Vendor and Government Response

Fortinet published its advisory and patch guidance on April 4, and government alerts followed with instructions to remediate affected systems on an accelerated timeline.

Impact Assessment

The confirmed impact is the risk of unauthorized code or command execution on the FortiClient EMS server itself. Because EMS is an administrative system for managed endpoints, compromise of the server creates a serious trust and control problem for organizations that rely on it for endpoint management.

There is no confirmed data regarding the number of victim organizations, the identity of the threat actor, or the specific sequence of post-exploitation activity. Organizations should prioritize patching and exposure reduction.

Attribution

No public source identified a named threat actor for CVE-2026-35616 exploitation. The incident remains an actively exploited vulnerability event with unknown actor attribution.

Until a vendor, government, or other primary-source investigation publishes confirmed actor information, this exploitation activity should remain unattributed.

Timeline

2026-03-31 - Event

watchTowr reported exploitation of the zero-day vulnerability against FortiClient EMS before public vendor disclosure.

2026-04-04 - Event

Fortinet published advisory FG-SN-2026-00016 with affected-version and patch guidance for CVE-2026-35616.

2026-04-06 - Event

The U.S. government vulnerability catalog reflected CVE-2026-35616 as a known exploited issue with accelerated remediation requirements.

2026-04-07 - Event

The Canadian Centre for Cyber Security published an alert noting active exploitation and directing defenders to Fortinet’s remediation guidance.

Remediation & Mitigation

Fortinet’s guidance is the primary remediation path: identify FortiClient EMS instances on affected versions, apply the appropriate hotfix or upgrade path, and restrict exposure of the management surface while patching is underway. Government alerts also reinforce rapid remediation or discontinuation of vulnerable exposure if mitigations cannot be applied quickly.

Defenders should review EMS access logs and server activity for suspicious crafted requests, then treat the server as a high-value administrative asset in any follow-up investigation. Investigation should focus on observed artifacts within the specific environment, as generalized post-exploitation patterns have not been established.

Sources & References

zero-dayfortinetforticlient-emsrcecisa-kevpre-authapi-bypasscwe-284