Critical Fortinet FortiClientEMS Flaw Allows Unauthenticated Remote Code Execution

Attackers are already exploiting a critical vulnerability in Fortinet's FortiClientEMS that requires no credentials and no user interaction to compromise enterprise security infrastructure, placing security teams on emergency footing as the business week begins.

The flaw, tracked as CVE-2026-35616, stems from improper access control in specific API endpoints within FortiClientEMS versions 7.4.5 and 7.4.6. An unauthenticated attacker needs only to send specially crafted network requests to a vulnerable server to execute arbitrary commands under the service account running the affected software. Depending on that account's privileges, an attacker could install malicious programs, view or alter sensitive data, or create new administrative accounts, effectively seizing control of the management plane that governs endpoint security across an entire organization.

The blast radius is unusually wide. FortiClientEMS is a centralized platform organizations use to deploy and enforce security policies across thousands of endpoints simultaneously. Compromise of the server does not merely affect one machine; it hands an attacker controls for an entire fleet. From that position, threat actors could disable security software on managed endpoints, pivot deeper into corporate networks, establish persistence across distributed environments, and stage data-exfiltration operations that can take weeks to detect.

The Center for Internet Security issued its advisory on April 4, framing CVE-2026-35616 as an urgent priority for government agencies and large enterprise defenders. Fortinet confirmed it has observed exploitation in the wild, a disclosure that moves the remediation timeline from planned maintenance to emergency action. Threat-intelligence vendors and security researchers noted that FortiClientEMS deployments frequently face the internet, particularly in organizations with remote workforces requiring centrally managed endpoint controls, making exposed instances straightforward targets for both opportunistic and sophisticated threat actors.

The path forward is sequential and time-sensitive. Security teams should apply Fortinet's emergency hotfix immediately after validating it in a controlled environment, then schedule an upgrade to version 7.4.7 or above once that release is available. Alongside patching, security operations centers need to pull logs from FortiClientEMS servers and hunt for anomalous API calls, unexpected account-creation events, and lateral-movement indicators that would signal a foothold has already been established. Any system showing signs of compromise should be isolated before remediation begins. Organizations detecting suspicious activity should initiate standard incident-response protocols; government and critical-infrastructure operators should also report to CISA.

The pre-authentication nature of this vulnerability is what separates it from a routine patching obligation. No credentials, no social engineering, and no insider access are required: a single network request to an exposed server is sufficient to begin an intrusion. In environments where patch cycles stretch across weeks, that window is long enough for adversaries to move laterally, exfiltrate data, and establish redundant persistence before detection. CIS's advisory is unambiguous: this is not a task to queue for the next change-management cycle. Organizations running vulnerable FortiClientEMS versions are operating with an open door, and the only responsible response is to close it before the next business day is out.