Latest Fortinet FortiClient Endpoint Management Server vulnerability: CVE-2026-35616 #
Fortinet disclosed certain versions of the FortiClient Endpoint Management Server (EMS) are susceptible to an API authentication and authorization bypass vulnerability caused by improper access control. A remote, unauthenticated attacker could exploit this flaw by sending specially crafted requests to the server. A successful exploit may allow the attacker to execute unauthorized code or commands. This vulnerability has been designated CVE-2026-35616 and has been rated critical with a CVSS score of 9.1.Fortinet has confirmed that this vulnerability is being actively exploited in the wild.
The following versions are affected:
- FortiClientEMS 7.4: Versions 7.4.5 through 7.4.6
What is Fortinet FortiClient Endpoint Management Server? #
Fortinet FortiClient Endpoint Management Server (EMS) is a centralized application used to deploy, configure, and monitor security settings on devices running the FortiClient agent.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute unauthorized code or commands on the vulnerable host.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions or apply the relevant hotfixes immediately:
- FortiClientEMS 7.4: Upgrade to 7.4.7 or later.
- FortiClientEMS 7.4.5: Apply hotfix 7.4.5.2111.
- FortiClientEMS 7.4.6: Apply hotfix 7.4.6.2170.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially impacted assets:
_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:=-800551065
