CVE-2026-35616: FortiClient EMS API Bypass Under Active Exploitation

On April 4, 2026, Fortinet released an emergency hotfix for CVE-2026-35616, a critical improper access control vulnerability (CWE-284) in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw carries a CVSS score of 9.1 and allows unauthenticated attackers to bypass API authentication and authorization protections entirely, executing arbitrary code or commands through crafted requests. Two days later, on April 6, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

FortiClient EMS is the central management platform that organizations use to deploy, configure, and monitor FortiClient endpoint agents across their networks. It handles policy distribution, software updates, VPN configuration, and compliance enforcement for every managed endpoint. Compromising EMS does not just affect one server — it provides an attacker with a control plane over every endpoint in the organization that relies on it. This makes CVE-2026-35616 a particularly high-value target for threat actors seeking broad network access through a single entry point.

The vulnerability exists in the FortiClient EMS API layer. Under normal operation, API endpoints are protected by authentication and authorization checks that verify the caller has valid credentials and appropriate permissions. CVE-2026-35616 allows attackers to craft HTTP requests that bypass these checks entirely, reaching privileged API functions without any authentication. This is not a credential-guessing attack or a brute-force scenario — it is a logic flaw that makes authentication irrelevant.

Once past the API gateway, an attacker can execute commands on the EMS server with the privileges of the service process. In practice, this means reading and modifying endpoint policies, pushing malicious configurations to managed clients, extracting stored credentials for VPN and directory integrations, and potentially pivoting to Active Directory or cloud environments through harvested secrets. The watchTowr research team first recorded exploitation attempts against honeypots on March 31, 2026, nearly a week before the official hotfix. This timeline suggests that exploitation was happening before most defenders were aware of the vulnerability.

The attack surface is amplified by the architecture of EMS deployments. Many organizations expose the EMS web interface to allow remote endpoint check-ins, which means the vulnerable API is often reachable from the internet. Unlike an internal-only service where exploitation requires network proximity, internet-facing EMS instances can be discovered and attacked by anyone running a simple port scan.

Shadowserver Foundation scans identified over 2,000 FortiClient EMS instances directly accessible from the internet, with the largest concentrations in the United States and Germany. Separate Shodan queries corroborate this, showing close to 1,000 instances with identifiable EMS fingerprints on common ports. The actual number of vulnerable deployments is likely higher, since not all instances respond to standard fingerprinting and some sit behind load balancers or reverse proxies that obscure the underlying service.

For European mid-market organizations, this is particularly relevant. Fortinet holds significant market share in the DACH region, where FortiClient EMS is commonly deployed by managed service providers and internal IT teams to handle endpoint security at scale. Many of these deployments serve organizations in sectors that fall under NIS2 regulation: manufacturing, healthcare, energy, and digital infrastructure. An unpatched, internet-exposed EMS instance in these environments is both a technical vulnerability and a compliance gap that can trigger management liability under the new BSI Act.

Start with immediate version verification. If you are running FortiClient EMS 7.4.5 or 7.4.6, apply the emergency hotfix released on April 4 immediately. Version 7.2 is not affected. If the hotfix cannot be applied within hours, restrict network access to the EMS web interface to trusted management networks only — remove any internet-facing exposure as a compensating control.

Next, check for indicators of compromise. Review EMS server logs for unusual API calls, especially unauthenticated requests to privileged endpoints. Look for unexpected policy changes pushed to managed endpoints, new or modified VPN configurations, and any evidence of credential extraction from the EMS database. If your EMS was internet-exposed during the exploitation window (March 31 onward), treat stored credentials — LDAP bind accounts, AD integration secrets, VPN pre-shared keys — as potentially compromised and rotate them.

Finally, address the structural exposure. An attack surface assessment should answer whether your EMS management interface is reachable from the internet, whether access controls limit who can reach it, and whether your monitoring detects anomalous API activity. Organizations that discover their EMS was exposed should conduct a broader review: if one management plane was internet-accessible, others likely are too.

The April 2026 BSI registration deadline for NIS2-regulated entities in Germany coincides almost exactly with this vulnerability disclosure. Organizations that are completing their NIS2 registration must demonstrate active risk management, including timely vulnerability response and supply-chain oversight. A KEV-listed, actively exploited vulnerability in a widely deployed endpoint management platform is precisely the scenario where regulators expect documented action — not just eventual patching, but evidence of detection, triage, containment, and remediation within defined timelines.

For security teams, this event is a practical test of incident response maturity. Can you determine within hours whether your FortiClient EMS is affected, exposed, and potentially compromised? Can you rotate dependent credentials without disrupting endpoint management for your workforce? Can you document the entire response for audit purposes? Organizations that built these capabilities ahead of NIS2 enforcement will handle CVE-2026-35616 as a routine operational event. Those that did not will experience it as a crisis that exposes exactly the governance gaps NIS2 was designed to address.