What is CVE-2026-35616?

CVE-2026-35616 is an improper access control vulnerability (CWE-284) in Fortinet FortiClient EMS — the centralized server that manages FortiClient endpoint agents across an enterprise. The flaw exists in the EMS API layer, where authentication and authorization checks can be completely bypassed using specially crafted HTTP requests.

Is CVE-2026-35616 being actively exploited?

Security firm watchTowr detected the first exploitation attempts against their honeypot infrastructure on March 31, 2026 — four days before Fortinet published its advisory. According to watchTowr CEO Benjamin Harris, initial exploitation was "low and slow," suggesting careful, targeted attacks by sophisticated operators.

Am I exposed to CVE-2026-35616?

Earlier versions (7.4.4 and below) and the 7.2.x and 8.0.x branches are not affected. If you're running 7.4.5 or 7.4.6, your endpoint management server is exposed.

How do I fix CVE-2026-35616?

Fortinet has released hotfixes for both affected versions. These are available through FortiGuard and documented in advisory FG-IR-26-099.

CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth API Bypass — Zero-Day Under Active Exploitation

By the Pinaka team — April 15, 2026

CVE-2026-35616 is a critical (CVSS 9.1) zero-day vulnerability in Fortinet FortiClient EMS 7.4.5 and 7.4.6 that allows unauthenticated attackers to bypass API authentication and execute arbitrary commands. Actively exploited since March 31, 2026 and added to CISA KEV on April 6. Hotfix available via FG-IR-26-099.

Topics: CVE Analysis, Fortinet, Zero-Day, CISA KEV, Endpoint Security

Read full analysis