Skip to content
Blog

Active Exploitation Alert: Fortinet CVE-2026-35616 (FortiClient EMS Zero-Day)

CVE-2026-35616 is an actively exploited Fortinet zero-day enabling unauthenticated RCE. Learn affected versions, risks, and required mitigation steps.

fortinet

Key Takeaways

    • CVE-2026-35616 is a critical zero-day vulnerability enabling unauthenticated remote code execution (RCE) in FortiClient EMS. This flaw allows attackers to execute arbitrary code without credentials, creating immediate risk of full system compromise for exposed environments running vulnerable versions.
    • Active exploitation began before public disclosure, making this vulnerability especially dangerous. Attacks were observed as early as March 31, and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog confirms real-world threat activity and urgent remediation requirements.
    • Only FortiClient EMS versions 7.4.5 and 7.4.6 are affected, and Fortinet has released 7.4.7 as an emergency hotfix. Organizations running these versions should assume compromise risk until patched, as over 2,000 exposed instances have already been identified globally.
    • Logically has validated no current exposure across managed environments and continues proactive monitoring. Through unified visibility and continuous threat intelligence, we confirm affected versions are not present and maintain readiness to respond if risk conditions change.
    • Immediate patching and continuous monitoring are mandatory for affected systems. This zero-day highlights how quickly attackers operationalize vulnerabilities, reinforcing the need for cyber-first operations, rapid validation, and decisive remediation strategies.

 

A newly disclosed critical vulnerability, CVE-2026-35616, is making waves across the cybersecurity landscape, and for good reason. This is not a theoretical risk or lab-based proof-of-concept. It is a true zero-day vulnerability actively being exploited in the wild, with real-world attacks already observed prior to public disclosure.

If your organization leverages Fortinet’s FortiClient EMS (Endpoint Management Server), this is one to understand immediately.

What is CVE-2026-35616?

CVE-2026-35616 is a critical unauthenticated remote code execution (RCE) vulnerability affecting FortiClient EMS. The root cause lies in an API authentication bypass, allowing attackers to execute arbitrary code on vulnerable systems without needing valid credentials.

Key characteristics:

  • Attack Vector: Remote (no authentication required)
  • Impact: Full system compromise (RCE)
  • Exploit Status: Actively exploited in the wild
  • Affected Versions: FortiClient EMS 7.4.5 and 7.4.6
  • Patched Version: 7.4.7 (emergency hotfix)

The Risk in Vulnerability Affecting FortiClient EMS

This vulnerability escalated quickly due to several concerning factors:

  • Pre-disclosure exploitation: Attacks were observed as early as March 31st, before public advisories were released.
  • CISA KEV inclusion: The vulnerability has already been added to the Known Exploited Vulnerabilities (KEV) catalog, signaling urgent risk.
  • Wide exposure: Internet scanning organizations report 2,000+ exposed EMS instances globally.
  • Emergency patch guidance: Fortinet has issued 7.4.7 as a hotfix, not a routine update—strongly indicating urgency.

In short: If you're running a vulnerable version, you should assume risk until patched.

Logically’s Current Exposure

After internal validation and review, no current exposure has been identified for managed customers.

Actions Taken

We’ve proactively addressed this situation with the following steps:

  • Validated EMS versions across all managed customers using on-prem deployments
  • Confirmed no systems fall within the affected range
  • Monitoring for indicators of compromise (IOCs) as threat intelligence evolves
  • Documented findings for compliance and audit readiness
  • This vulnerability is strictly limited to versions 7.4.5 and 7.4.6.
  • Cloud-hosted EMS deployments are not affected.

What Happens If Exposure Changes?

While we are currently in a safe position, this remains a high-priority watch item. If any environment transitions to an affected version (7.4.x), we will:

  • Treat remediation as a Priority 1 incident
  • Immediately deploy the 7.4.7 hotfix
  • Avoid delaying patching for standard maintenance windows

Key Takeaways

This is a real-world zero-day, not a hypothetical vulnerability

  • Unauthenticated RCE makes it especially dangerous
  • Only specific EMS versions (7.4.5 / 7.4.6) are impacted
  • We are currently not vulnerable, but continued vigilance is required
  • Immediate patching is mandatory for affected systems

Final Thoughts

CVE-2026-35616 is another reminder of how quickly threat actors operationalize vulnerabilities—often before defenders even know they exist. Rapid validation, visibility into asset versions, and decisive patching strategies are what separate secure environments from compromised ones.

We’ll continue monitoring developments closely and will provide updates if the threat landscape evolves.

If you have questions about your environment or want help validating exposure, get support.

 

FAQ

What is CVE-2026-35616?

CVE-2026-35616 is a critical zero-day vulnerability in FortiClient EMS that allows unauthenticated remote code execution. Attackers can exploit an API authentication bypass to execute arbitrary code without credentials, leading to full system compromise in vulnerable environments running versions 7.4.5 or 7.4.6.

 

Which FortiClient EMS versions are affected by CVE-2026-35616?

FortiClient EMS versions 7.4.5 and 7.4.6 are affected by CVE-2026-35616. Fortinet released version 7.4.7 as an emergency hotfix to address the vulnerability. Versions outside this range and cloud-hosted EMS deployments are not impacted by this specific issue.

 

Is CVE-2026-35616 actively exploited?

CVE-2026-35616 is actively exploited in the wild, with attacks observed before public disclosure on March 31. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming real-world exploitation and the need for immediate remediation.

 

How dangerous is an unauthenticated RCE vulnerability?

An unauthenticated remote code execution vulnerability is extremely dangerous because attackers do not need credentials to gain access. This allows full system compromise remotely, increasing the likelihood of widespread exploitation, lateral movement, and data breaches across affected environments.

 

What should organizations do to mitigate CVE-2026-35616?

Organizations should immediately upgrade to FortiClient EMS version 7.4.7 if running affected versions. Additional steps include validating version exposure, monitoring for indicators of compromise, and prioritizing patching outside standard maintenance windows to reduce risk quickly.

 

Is Logically affected by CVE-2026-35616?

Logically has confirmed no current exposure to CVE-2026-35616 across managed environments. All systems have been validated to ensure they are not running affected versions, and continuous monitoring is in place to detect any changes or emerging threats.

Related Resources

World-Backup-Day
Blog

World Backup Day 2026: From Backup to Cyber Resilience

AI Infrastructure Demand Is Affecting Hardware Availability
Blog

How AI Infrastructure Demand Is Affecting Hardware Availability—and How IT Leaders Can Plan Ahead

2711624_GRAPHICShadowAIIceburgGraphic_1920x1080_021326
Blog

Shadow AI: The Invisible Threat Inside Your Organization

View All Resources