FortiClient EMS Zero-Day Under Active Exploit — Patch Now

Fortinet administrators who rushed to patch CVE-2026-21643 last month now face a new problem: the patched versions contain a different critical vulnerability that attackers are already exploiting.

CVE-2026-35616 is an improper access control flaw in FortiClient EMS versions 7.4.5 and 7.4.6—the exact versions Fortinet released to fix the SQL injection vulnerability we covered in late March. Security firm watchTowr recorded the first exploitation attempts on March 31, just days after organizations began deploying the "fixed" builds.

What Makes This Different

Unlike the previous SQL injection that affected only version 7.4.4, CVE-2026-35616 targets the authentication layer itself. The vulnerability allows unauthenticated attackers to bypass API authentication and authorization protections entirely, then execute arbitrary code through specially crafted HTTP requests.

Fortinet assigned a CVSS score of 9.1 and categorized it as CWE-284 (Improper Access Control). The company confirmed active exploitation in its advisory: "Fortinet has observed [CVE-2026-35616] to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6."

The irony isn't lost on security researchers. Organizations that moved quickly to patch the February vulnerability are now running vulnerable software. Those who delayed patching for 7.4.4 and jumped straight to the affected 7.4.5 or 7.4.6 releases walked into an active exploitation campaign.

Technical Details

The flaw exists in the API authentication mechanism. Attackers don't need valid credentials—they can craft requests that sidestep authentication checks altogether and interact with privileged API endpoints directly.

Successful exploitation gives attackers the same access as legitimate EMS administrators:

• Full visibility into managed endpoint inventory
• Access to security policies and configurations
• Ability to modify endpoint deployments
• Access to administrative credentials and certificates

This mirrors the impact of CVE-2026-21643, but through a completely different attack vector. While the SQL injection exploited database query handling, this vulnerability exploits flawed access control logic in the API layer.

Discovery and Timeline

Security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh discovered the vulnerability. watchTowr's honeypot infrastructure detected the first active exploitation attempts on March 31, 2026.

watchTowr CEO Benjamin Harris noted the timing: "Holiday weekends represent opportunity. Security teams are at half [capacity]." The initial exploitation coincided with the end of Q1, when many organizations were focused on closing out financial quarters rather than monitoring for new threats.

The discovery came just weeks after CVE-2026-21643 began seeing active exploitation—creating an unusual situation where both the vulnerable version and its patch contained critical, actively exploited flaws.

Affected Versions

The vulnerability affects only FortiClient EMS 7.4.5 and 7.4.6. Older versions (7.2.x, 7.4.3 and earlier) and the FortiEMS Cloud service are not affected.

Version 7.4.4 remains vulnerable to CVE-2026-21643 but is not affected by CVE-2026-35616. Organizations still running 7.4.4 face the original SQL injection risk and should upgrade directly to the hotfixed versions.

Patching and Mitigation

Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6. A permanent fix will ship in FortiClient EMS 7.4.7. The company states the hotfixes are "sufficient to prevent [exploitation] entirely."

For organizations that can't apply hotfixes immediately:

1. Restrict network access to the EMS administrative interface—limit it to authorized management networks only
2. Monitor API logs for unusual authentication patterns or requests to privileged endpoints
3. Deploy WAF rules to inspect requests targeting EMS API endpoints

These mitigations reduce exposure but don't eliminate risk. Attackers who've already gained network access through other means—perhaps through the numerous other Fortinet vulnerabilities disclosed this year—can still reach internal EMS deployments.

Exposure Concerns

The Shadowserver Foundation tracks over 2,000 internet-accessible FortiClient EMS instances globally. That count includes deployments running various versions, but organizations that recently patched for CVE-2026-21643 likely upgraded to the now-vulnerable 7.4.5 or 7.4.6 releases.

Enterprise endpoint management systems shouldn't be internet-exposed, but reality often differs from best practice. Organizations use EMS to manage remote workers, branch offices, and distributed infrastructure—configurations that sometimes require external accessibility. This exposure pattern mirrors what researchers found during the March 2026 Fortinet patch cycle, where multiple products required urgent updates.

Why This Matters

Two critical vulnerabilities in the same product within weeks—with the second affecting the patch for the first—creates a difficult situation for defenders. The pattern suggests either rushed development cycles or insufficient security review of new releases.

Fortinet products continue appearing in CISA's Known Exploited Vulnerabilities catalog at concerning rates. FortiGate appliances have faced authentication bypass exploits, brute-force attacks from specialized tools like Brutus, and supply chain concerns.

The company's products protect network perimeters—the exact place where vulnerabilities cause maximum damage. Organizations relying on Fortinet infrastructure need processes for rapid patch deployment, because the gap between disclosure and exploitation keeps shrinking.

Post-Exploitation Investigation

Organizations that ran vulnerable EMS versions before patching should investigate for compromise indicators:

• Review API access logs for requests bypassing normal authentication flows
• Check for unauthorized administrative actions or policy modifications
• Audit endpoint configurations pushed through EMS during the exposure window
• Rotate administrative credentials and API tokens
• Review managed endpoint certificates for tampering

Compromising endpoint management infrastructure gives attackers persistent access across managed devices. Even after patching the EMS server, attackers may have already established footholds on individual endpoints. For organizations dealing with potential compromise, understanding social engineering tactics attackers commonly use alongside technical exploitation helps identify the full scope of incidents.

The vulnerability underscores why defense-in-depth matters. Organizations treating any single security product as a complete solution—even one designed to manage endpoint security—risk catastrophic failure when that product itself becomes the attack vector.