Fortinet disclosed CVE-2026-35616 on April 3, a pre-authentication API access bypass in FortiClient EMS with a CVSS score of 9.1. Within 72 hours, CISA added it to the Known Exploited Vulnerabilities catalog and gave federal agencies just three days to patch. According to watchTowr, exploitation attempts against their honeypot network began on March 31, a full three days before the public disclosure. The attackers chose a holiday weekend to strike, and they had a head start.
Why FortiClient EMS Is a High-Value Target
FortiClient EMS is the central management server that pushes security policies, VPN configurations, and endpoint compliance rules to every FortiClient agent in an organization. Compromising it does not just give an attacker access to one machine. It gives them a control plane for every managed endpoint in the network.
The vulnerability itself is an improper access control flaw that lets an unauthenticated attacker send crafted requests to the EMS API and escalate privileges to execute arbitrary code. According to Fortinet's advisory, affected versions include FortiClient EMS 7.4.5 through 7.4.6. A hotfix is available now, with a full patch expected in version 7.4.7.
This is the second unauthenticated vulnerability in FortiClient EMS disclosed in recent weeks. That pattern should concern any security team running Fortinet infrastructure. When the same product produces multiple critical authentication bypass flaws in rapid succession, it signals a systemic issue in how that component handles trust boundaries.
The Holiday Weekend Exploitation Pattern
According to watchTowr CEO Benjamin Harris, the timing of exploitation was deliberate. Attackers began scanning and exploiting vulnerable instances over a holiday weekend when security teams typically operate at reduced capacity. According to Defused Cyber, the earliest confirmed exploitation activity predates the public advisory by several days, meaning threat actors had access to the vulnerability before defenders knew it existed.
This pattern is well-established and accelerating. CISA's data shows that nearly 40 percent of all intrusions in Q4 2025 involved exploitation of known vulnerabilities, according to Cisco Talos threat intelligence reports. Attackers are not waiting for complex social engineering campaigns. They are scanning for exposed management interfaces and hitting them with exploit code within hours of disclosure.
The three-day remediation window CISA imposed reflects how seriously the agency views active exploitation. Standard KEV deadlines run 14 to 21 days. A three-day window means CISA believes the risk of widespread compromise is immediate.
Assessing Your Exposure
The first question is whether FortiClient EMS is reachable from the internet. Many organizations expose their EMS instance for remote endpoint management, which is exactly the configuration attackers are targeting. Even organizations that believe their EMS is internal-only should verify, because misconfigured firewall rules and cloud deployments can create unintended exposure.
The second question is version. Only FortiClient EMS 7.4.5 and 7.4.6 are affected. Organizations running older major versions are not vulnerable to this specific flaw, though they likely face other unpatched issues.
The third question is whether you have already been compromised. Given that exploitation began before public disclosure, any organization running an affected version should assume breach until proven otherwise. Check EMS server logs for unexpected API calls, look for new administrative accounts, and review recent policy changes pushed to endpoints.
What To Do About It
1. Apply the hotfix immediately. Fortinet released emergency hotfixes for FortiClient EMS 7.4.5 and 7.4.6. Do not wait for the full 7.4.7 release. According to Fortinet, the hotfix addresses the root cause and does not require a reboot of the EMS service.
2. Restrict network access to EMS. If your FortiClient EMS instance is reachable from the public internet, put it behind a VPN or restrict access to known management IP ranges today. Management interfaces for security products should never face the internet directly.
3. Hunt for indicators of compromise. Review EMS server access logs from March 28 onward. Look for unauthenticated API requests, especially to REST endpoints that normally require admin credentials. Check for newly created user accounts and any policy modifications you did not authorize.
4. Audit your Fortinet estate. Two critical authentication bypasses in one product in a short timeframe demands a broader review. Inventory every Fortinet product in your environment, verify each is running current firmware, and confirm that management interfaces are segmented from production networks.
HRIM's Take
The real lesson from CVE-2026-35616 is not about one vendor or one CVE. It is about the compounding risk of exposed management planes. Every security product that requires a management server creates a new attack surface, and attackers have figured out that compromising the security tool itself is the fastest path to owning the entire environment. We recommend every organization conduct a management interface audit this quarter: enumerate every admin console, EMS server, and security orchestration platform that has network reachability beyond your NOC. If you cannot justify the exposure, close it. The best patch is a port that is not open.