Executive Summary
In April 2026, Fortinet disclosed a critical improper access control vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS) versions 7.4.5 and 7.4.6. This flaw allows unauthenticated attackers to execute unauthorized code or commands via crafted requests, leading to potential remote code execution and privilege escalation. The vulnerability has been actively exploited in the wild, prompting Fortinet to release emergency hotfixes and advise immediate patching to mitigate the risk. (helpnetsecurity.com)
The exploitation of CVE-2026-35616 underscores the persistent targeting of Fortinet products by threat actors. Organizations are urged to apply the provided hotfixes promptly and monitor their systems for any signs of compromise to maintain robust security postures. (tenable.com)
Why This Matters Now
The active exploitation of CVE-2026-35616 highlights the urgency for organizations to patch their FortiClient EMS instances immediately. Delayed remediation increases the risk of unauthorized access, data breaches, and potential lateral movement within networks, emphasizing the need for prompt action to safeguard enterprise environments.
Attack Path Analysis
An unauthenticated attacker exploited improper access control and SQL injection vulnerabilities in FortiClientEMS to gain initial access. They escalated privileges by executing unauthorized code or commands on the EMS server. Utilizing the EMS's central role, the attacker moved laterally across managed endpoints by manipulating policies. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. The attack culminated in significant operational disruption and potential data loss.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited CVE-2026-35616 and CVE-2026-21643 in FortiClientEMS to gain unauthorized access.
Related CVEs
CVE-2026-35616
CVSS 9.8An improper access control vulnerability in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute unauthorized code or commands via crafted requests.
Affected Products:
Fortinet FortiClientEMS – 7.4.5, 7.4.6
Exploit Status:
exploited in the wildCVE-2026-21643
CVSS 9.8An SQL injection vulnerability in Fortinet FortiClientEMS version 7.4.4 allows unauthenticated attackers to execute unauthorized code or commands via specifically crafted HTTP requests.
Affected Products:
Fortinet FortiClientEMS – 7.4.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Web Shell
Command and Scripting Interpreter: PowerShell
Valid Accounts
Application Layer Protocol: Web Protocols
Exploitation of Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Bespoke and custom software are developed securely
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Critical vulnerability exploitation in FortiClient EMS threatens core security infrastructure, enabling unauthenticated remote code execution and compromising endpoint management systems.
Financial Services
SQL injection and access control vulnerabilities expose financial institutions to data exfiltration risks, violating PCI compliance requirements and enabling lateral movement attacks.
Health Care / Life Sciences
Authentication bypass vulnerabilities in endpoint management systems threaten patient data protection, violating HIPAA encryption and access control compliance standards.
Government Administration
Critical FortiClient EMS vulnerabilities enable unauthorized command execution on government networks, compromising sensitive data and facilitating advanced persistent threat campaigns.
Sources
- CVE-2026-35616 & CVE-2026-21643 – Fortinet FortiClientEMS: Overview & Takeawayshttps://www.netspi.com/blog/executive-blog/critical-vulnerability/cve-2026-35616-cve-2026-21643-fortinet-forticlientems-overview-takeaways/Verified
- CVE-2026-35616 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-35616Verified
- CVE-2026-21643 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-21643Verified
- Fortinet PSIRT Advisory FG-IR-26-099https://fortiguard.fortinet.com/psirt/FG-IR-26-099Verified
- Fortinet PSIRT Advisory FG-IR-25-1142https://fortiguard.fortinet.com/psirt/FG-IR-25-1142Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in FortiClientEMS would likely be constrained, limiting unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by executing unauthorized commands would likely be constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across managed endpoints would likely be constrained, limiting the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The overall impact of the attack would likely be constrained, reducing operational disruption and data loss.
Impact at a Glance
Affected Business Functions
- Endpoint Management
- Security Policy Enforcement
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of endpoint management configurations and security policies.
Recommended Actions
Key Takeaways & Next Steps
- • Apply the latest security patches for FortiClientEMS to remediate CVE-2026-35616 and CVE-2026-21643.
- • Implement Zero Trust Segmentation to restrict lateral movement across managed endpoints.
- • Enhance East-West Traffic Security to monitor and control internal communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
