Your endpoint management infrastructure is currently being weaponized to execute unauthorized commands via a critical API authentication bypass. This vulnerability allows unauthenticated remote attackers to gain a persistent foothold within the core of your security fabric.
CVE-2026-35616 is an improper access control flaw in @[Fortinet](urn:li:organization:15197) FortiClient Enterprise Management Server ❨EMS❩ versions 7.4.5 and 7.4.6. By sending crafted HTTP requests to the management API‚ an attacker can bypass all authentication checks and execute arbitrary code with system privileges. CISA added this to the KEV catalog on April 6 after researchers observed sustained exploitation campaigns beginning over the Easter holiday weekend.
The targeting of endpoint management servers is a strategic escalation because these systems are often granted broad network permissions and possess the “keys to the kingdom” for every managed device in the fleet. Many organizations treat these servers as internal management infrastructure‚ but their public-facing APIs for remote worker support create a direct and unauthenticated attack path.
– Apply the emergency hotfix for FortiClient EMS 7.4.5 or 7.4.6 immediately or upgrade to version 7.4.7.
– Restrict all access to the EMS management API to trusted administrative IP ranges or an OOB management network.
– Audit EMS logs for anomalous API requests or the creation of unauthorized administrative accounts dating back to March 31.
– Utilize EDR to monitor for unusual child processes spawned by the FortiClient EMS service on the host operating system.
When the management plane is compromised‚ the entire endpoint security posture is effectively neutralized. #CodeDefence #Fortinet #FortiClient #CISA
/