External risk intelligence

FortiClient EMS allows attackers to run unauthorized code remotely.

CVE advisoryKnown Exploit

CVE-2026-35616

Fortinet FortiClient EMS has a critical flaw allowing unauthenticated attackers to run unauthorized code remotely. This is a serious risk because it can be exploited from anywhere on the internet.

4Halo Surface Signal

Fortinet Forticlientems

7.4.57.4.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-35616

FortiClient EMS is a web-based centralized management platform. These systems are often deployed as internet-facing web applications to enable the management of remote endpoints and distributed devices, which makes the management interface frequently reachable from the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An improper access control vulnerability in Fortinet FortiClientEMS could allow an attacker to run unauthorized code or commands. This is a critical issue because it can be exploited without any prior access or authentication.

  • Attackers can run unauthorized code.
  • This affects FortiClientEMS versions 7.4.5 and 7.4.6.
  • The vulnerability is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to an affected FortiClientEMS server. This allows them to bypass authentication and execute arbitrary code or commands, potentially leading to a full system compromise. The lack of authentication requirements and the ability to execute code remotely make this a critical vulnerability.

  • No authentication required.
  • Target: FortiClientEMS server.
  • Network-accessible endpoint.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability in Fortinet FortiClientEMS presents a significant threat due to its unauthenticated, remote execution capabilities. Attackers favor such vulnerabilities because they require no prior access or privileges, offering a direct path to compromise systems. The widespread use of EMS for managing endpoints, especially those exposed to the internet, makes it an attractive target for widespread exploitation.

  • Listed on CISA KEV catalog.
  • Exploited in the wild.
  • Vulnerability is exploitable remotely.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the critical severity and active exploitation of this vulnerability, prioritize isolating or taking affected FortiClient EMS instances offline. Teams should immediately investigate logs for signs of unauthorized access or command execution originating from network-facing instances. If isolation is not feasible, implement strict network access controls to limit exposure until a patch can be applied.

  • Block all unauthorized network access.
  • Review logs for exploitation attempts.
  • Upgrade FortiClient EMS to a patched version.

Frequently asked questions

What is Fortinet FortiClientEMS?

FortiClient EMS is a centralized management platform used to manage endpoint security for Fortinet products. It helps organizations control and monitor security software on devices.

What kind of weakness does CVE-2026-35616 describe?

CVE-2026-35616 describes an improper access control vulnerability. This means the software does not correctly enforce restrictions on what users or processes can do, allowing unauthorized actions.

How can an attacker exploit FortiClient EMS via CVE-2026-35616?

An attacker can exploit this vulnerability by sending specially crafted requests to the FortiClient EMS server. No prior authentication or access is needed for the attacker to trigger the vulnerability.

How likely is it that internet-facing FortiClient EMS instances are at risk?

There is a high likelihood that internet-facing FortiClient EMS instances are at risk. Halo Surface Signal indicates that management platforms like this are often exposed to the internet to manage remote devices.

What is the first step for organizations running affected FortiClient EMS versions?

Organizations running affected versions of FortiClient EMS should immediately investigate logs for any signs of unauthorized access or command execution, especially on internet-facing instances.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified