Executive Summary

On April 6^th, CISA added a critical remote code execution (RCE) vulnerability in FortiClient Enterprise Management Server (EMS) to its Known Exploited Vulnerability (KEV) database. The vulnerability is being tracked as CVE-2026-35616 and impacts FortiClient EMS versions 7.4.5 and 7.4.6.

Limited technical details regarding the vulnerability have been released at the time of this writing. However, Fortinet PSIRT has also confirmed active exploitation in the wild.

As active exploitation has been documented, Beazley Security recommends that any affected organizations check FortiClient EMS systems for signs of compromise and apply released hotfixes immediately.

Affected Systems or Products

*FortiClient EMS 7.4.7 will also include a hotfix for this issue, but it has not been released at the time of this writing.

Mitigations / Workarounds

As active exploitation has been confirmed in the wild and hotfixes have been released, organizations should patch as soon as possible. If patching is not an immediate option, risk can be temporarily reduced by:

• 

  Restricting access to FortiClient EMS management interfaces to internal, trusted networks only.

• 

  If remote access is required to manage endpoint security, secure access to FortiClient EMS behind a Virtual Private Network.

Patches

Fortinet has confirmed that hotfixes have been released for versions 7.4.5 and 7.4.6 to prevent exploitation of this vulnerability. FortiClient EMS 7.4.7 will also include a fix. Hotfixes can be found by accessing the PSIRT advisory.

Indicators of Compromise

At the time of this writing, Fortinet PSIRT confirmed active exploitation in the wild but have not publicly released indicators of compromise or technical details about the vulnerability.

The attack does not require authentication or user interaction, meaning exploitation can be carried out remotely by an attacker that has network access to an exposed FortiClient EMS instance.

Although no indicators of compromised have been released, defenders can monitor for:

• 

  Unexpected configuration changes to FortiClient EMS devices or modifications to downstream endpoint security policies.

• 

  Unauthorized user accounts or privilege escalation on FortiClient EMS devices.

• 

  Unexpected process execution or processes spawned by EMS services.

Technical Details

Fortinet PSIRT teams have not released technical details regarding this vulnerability at the time of writing. CVE-2026-35616 is classified with NIST as an insufficient access control vulnerability meaning a remote attacker can exploit the vulnerability without any authentication checks.

FortiClient EMS functions as an endpoint management platform handling endpoint security policy such as antivirus configuration, web filtering, and other endpoint security features. Compromise of an EMS server could grant an attacker administrative positioning within the management plane of an environment. An attacker with control over EMS could issue malicious commands to compromise downstream managed endpoints and further compromise sensitive data and assets.

Given active exploitation in the wild and downstream impacts of compromise, Beazley Security recommends affected organizations apply hotfixes immediately.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• 

  https://nvd.nist.gov/vuln/detail/CVE-2026-35616

• 

  https://fortiguard.fortinet.com/psirt/FG-IR-26-099

• 

  https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484

• 

  https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484