FortiClientEMS unauthenticated RCE (CVE-2026-35616) [PoC]

Actively exploited in the wild - CVE-2026-35616 is a critical improper access control in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6 that grants unauthenticated remote attackers full code execution and server compromise. Apply the vendor patch immediately to prevent takeover of all managed endpoints.

Overview

A critical vulnerability, tracked as CVE-2026-35616, has been identified in Fortinet’s FortiClient Endpoint Management Server (EMS). The flaw is an improper access control issue in versions 7.4.5 through 7.4.6. Due to the lack of proper authentication checks, an unauthenticated remote attacker can send specially crafted requests to the server, potentially leading to the execution of arbitrary code or commands.

Technical Details and Impact

This vulnerability has received the maximum CVSS v3.1 base score of 9.8 (CRITICAL). The high score is due to its network-based attack vector, low attack complexity, and the fact that it requires no privileges or user interaction to exploit. In practical terms, this means an attacker on the same network-or potentially from the internet if the EMS interface is exposed-can target the server without needing any login credentials. Successful exploitation could grant an attacker full control over the FortiClientEMS server, allowing them to install malware, steal sensitive endpoint management data, create backdoors, or pivot to other systems on the network. The FortiClientEMS is a central management console, so a compromise here could impact all managed endpoints.

Affected Products and Remediation

The vulnerability specifically affects FortiClientEMS versions 7.4.5, 7.4.6, and all intermediate builds.

Primary Action: Fortinet has released patches to address this vulnerability. All administrators must immediately upgrade to a fixed version. Consult the official Fortinet security advisory for the specific patched release.

Immediate Mitigation Steps:

1. Upgrade: Apply the vendor-provided patch as the highest priority.
2. Network Segmentation: Ensure the FortiClientEMS management interface is not directly exposed to the internet. Restrict access to it using firewall rules, allowing connections only from trusted administrative networks.
3. Monitor: Review logs from the FortiClientEMS server for any unusual or unauthorized connection attempts, particularly those resulting in process execution or configuration changes.

Until the patch is applied, treating the EMS server as critically exposed is essential. Organizations should assume it is a high-value target for attackers.

Security Insight

This critical flaw in a core network security management product follows a concerning pattern of high-severity vulnerabilities in central administrative platforms. Similar to the CyberStrikeAI tool adopted by hackers for AI-powered attacks, threat actors are increasingly automating the exploitation of such “command center” vulnerabilities to achieve maximum network impact with minimal effort. It underscores the critical need for defense-in-depth, where the security tools themselves must be rigorously hardened and isolated, not just the endpoints they manage.

Further Reading

• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs