Fortinet FortiClient EMS Flaw Under Fresh Exploitation
A critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) is being exploited in fresh attacks, according to new reporting from SecurityWeek. Fortinet initially issued an emergency hotfix for the flaw in April 2026, warning at the time that it had already been exploited in the wild as a zero-day. The continued exploitation confirms that a significant number of organizations have yet to apply the available patch.
FortiClient EMS is an enterprise endpoint security management platform used by organizations to centrally manage and enforce security policies on Fortinet-protected endpoints. Its role as a central management point for endpoint security makes it a high-value target — compromising EMS can give attackers control over an organization's entire endpoint security posture.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE | CVE-2026-35616 |
| Product | Fortinet FortiClient EMS |
| Attack Type | Critical vulnerability (remote exploitation) |
| Exploitation Status | Actively exploited (zero-day and ongoing) |
| Hotfix Available | Yes — issued April 2026 |
| Patch Status | Full patch released May 2026 |
Fortinet classified the vulnerability as critical and issued hotfixes on an accelerated timeline in April 2026 after observing active exploitation. The continued wave of attacks through May 2026 suggests either slow patch adoption or ongoing targeting of environments where the April hotfix was not applied.
What Is FortiClient EMS?
FortiClient EMS (Endpoint Management Server) is the central management and orchestration component of Fortinet's endpoint security platform. It is responsible for:
- Deploying and managing FortiClient endpoint agents across an organization's fleet
- Enforcing endpoint compliance policies (firewall rules, patch status, encryption)
- Providing centralized visibility into endpoint security posture
- Integrating with FortiGate firewalls and the broader Fortinet Security Fabric
Because EMS acts as a trusted management plane for all FortiClient-managed endpoints, a successful compromise of an EMS server gives an attacker extraordinary leverage. Attackers who control EMS can potentially push malicious configurations, disable endpoint protections, or use EMS's trusted relationship with endpoints for lateral movement.
Exploitation Context
The vulnerability's exploitation follows a pattern increasingly common with high-severity Fortinet flaws. The company has faced a series of actively exploited vulnerabilities across its product line in 2025 and 2026:
- CVE-2026-20131 — Cisco FMC (March 2026), Interlock ransomware
- CVE-2026-35616 — FortiClient EMS (April–May 2026)
- Multiple FortiGate SSL-VPN vulnerabilities (ongoing)
Threat actors — including ransomware affiliates and nation-state groups — have demonstrated a pattern of rapid exploitation of Fortinet product vulnerabilities, often moving from disclosure to mass exploitation within days. The active exploitation of CVE-2026-35616 in May 2026, weeks after hotfixes were available, is consistent with this established pattern.
Who Is at Risk
Organizations running FortiClient EMS that have not applied the April 2026 hotfix or the subsequent full patch release are at immediate risk. Priority exposure includes:
- Enterprise environments where FortiClient EMS is internet-accessible or reachable from compromised network segments
- Organizations using FortiClient EMS as part of a zero-trust network access (ZTNA) deployment
- Managed service providers (MSPs) managing multiple client environments via a shared EMS instance — a compromise here could cascade to all managed clients
Recommendations
Immediate Actions
- Apply the patch now — Update FortiClient EMS to the patched version per Fortinet's security advisory. If you applied only the April hotfix, ensure the full patch has been deployed
- Check for indicators of compromise — Review EMS server logs for anomalous activity, unexpected administrative actions, or unusual endpoint policy changes
- Restrict EMS access — Ensure FortiClient EMS is not directly internet-accessible; place it behind a firewall with access limited to authorized management networks
- Audit endpoint configurations — Review recently pushed endpoint policies from EMS to detect any unauthorized changes
Verification Steps
# Check FortiClient EMS version (on EMS server)
# Consult Fortinet advisory for minimum secure version numbers
# Review EMS audit logs for:
# - Unexpected admin logins
# - Configuration exports
# - Policy modifications outside change windows
# - API calls from unfamiliar IP addressesDetection Guidance
| Indicator | Significance |
|---|---|
| Unexpected EMS admin account creation | Possible persistence mechanism |
| Policy pushes outside scheduled windows | Potential unauthorized EMS control |
| EMS API calls from unknown IP addresses | External attacker using API access |
| FortiClient agents suddenly reporting to different EMS | Possible endpoint hijacking |
| Disabled endpoint security components | Attacker disabling defenses via EMS |
Fortinet's Response
Fortinet issued hotfixes for CVE-2026-35616 in April 2026 upon confirming active exploitation, and released a full patch in May 2026. The company has published a security advisory with version information and mitigation guidance. Organizations should reference the official Fortinet PSIRT advisory for authoritative version details and patching instructions.
Patch Urgency
The continued active exploitation of CVE-2026-35616 makes patching a critical, time-sensitive priority. The combination of high severity, active exploitation, and the strategic value of EMS as a management platform creates conditions where delayed patching carries substantial organizational risk. Security teams should treat this as a P1 remediation item and escalate to ensure patching occurs within 24–48 hours of this advisory.
Source: SecurityWeek