FortiClientEMS CVE-2026-35616 exploited

FortiClient EMS is the management server behind Fortinet’s endpoint fleet. That makes this a control-plane problem, not just another endpoint bug. If an attacker get(fortiguard.fortinet.com)rtificates, and talks to managed devices. The news is that Fortinet confirmed active exploitation of CVE-2026-35616 in vulnerable EMS 7.4.5 and 7.4.6 builds, shipped hotfixes, and said 7.4.7 includes the fix. (fortiguard.fortinet.com) ### What is FortiClient EMS, exactly? FortiClient EMS is the central console for managing FortiClient endp(cisa.gov)anagement-plane emergency,” that is not hype. A compromise here can ripple outward into trust relationships and endpoint administration. (fortiguard.fortinet.com) ### What is the bug? At the highest level, CVE-2026-35616 is an improper access control flaw in FortiClient EMS 7.4.5 through 7.4.6. Fortinet’s own advisory says an unauthenticated attacker can execute unauthorized code or commands through crafte(fortiguard.fortinet.com)fortiguard.fortinet.com) ### How does the bypass work? The interesting part is not some exotic memory corruption trick. Turns out the app trusted certificate-authentication data from places it should not have trusted. Bishop Fox showed that Django middleware accepted client-certificate info from both safe(fortiguard.fortinet.com)tripping the dangerous header variants. In plain English — the server could be talked into believing a certificate check succeeded when no real client certificate was presented. (bishopfox.com) ### Why does one header matte(fortiguard.fortinet.com) boundary. ProjectDiscovery’s detection logic compares the same request with and without `X-SSL-CLIENT-VERIFY: SUCCESS`; the behavior change is the tell. That is a useful mental model for defenders too — you are not looking for a noisy exploit chain first, you are looking for evidence that authentication assumptions were broken at the edge. (cloud.projectdiscovery.io) ### Was it really exploited in the wild? Yes. Fortinet said so in the PSIRT advisory, and CISA added CVE-202(bishopfox.com)anges from “should we prioritize this?” to “why is this not already being patched?” especially for federal teams and anyone who borrows CISA’s prioritization model. (fortiguard.fortinet.com) ### What should defenders do first? Patch or hotfix immediately. Fortinet pointed customers on 7.4.5 and 7.4.6 to specific hotfix instructions, and 7.4.7 rolled in the fix. Then assume exposure may already h(cloud.projectdiscovery.io)o API endpoints, reviewing admin and service-account changes, rotating credentials tied to EMS, and reissuing or validating certificates and tokens that EMS could influence. (fortiguard.fortinet.com) ### Why does this story feel familiar? Because FortiClient EMS has already had another serious 2026 issue tied to unauthenticated code ex(fortiguard.fortinet.com) but it does reinforce the same lesson — management servers exposed to the internet are high-value targets, and attackers move fast when authentication breaks on those surfaces. (fortiguard.fortinet.com) ### Bottom line? This is not an endpoint clean-up story. It is a trust-infrastructure story. If your FortiClient EMS server was on 7.4.5 or 7.4.6 and reachable by attackers, the safe assumption is that patching(fortiguard.fortinet.com)en allowed to do. (fortiguard.fortinet.com)