Your endpoint management infrastructure is being targeted by unauthenticated attackers to achieve remote code execution via an API authentication bypass. This vulnerability provides a direct path to the administrative core of your endpoint security posture.
CVE-2026-35616 is a critical improper access control flaw in @[Fortinet](urn:li:organization:15197) FortiClient Enterprise Management Server ❨EMS❩ versions 7.4.5 and 7.4.6. By sending crafted HTTP requests to the management API‚ an attacker can bypass authorization controls and execute arbitrary commands with the privileges of the EMS service. CISA added this to the KEV catalog on April 6 after confirming zero-day exploitation by financially motivated threat actors.
Security teams often view endpoint management servers as internal-only assets‚ yet they frequently remain exposed to the public internet for remote worker connectivity. This “management plane exposure” is a recurring architectural failure point that allows attackers to disable security controls across the entire enterprise fleet from a single unauthenticated entry point.
– Apply the emergency hotfix for FortiClient EMS 7.4.5 or 7.4.6 immediately or upgrade to version 7.4.7.
– Restrict all access to the EMS management interface to authorized administrative IP ranges or an OOB management network.
– Audit EMS logs for unauthorized API requests or the creation of anomalous administrative accounts.
– Monitor for unusual child processes spawned by the FortiClient EMS service on the host operating system.
The security of your endpoints is inextricably linked to the integrity of the server that manages them; its compromise is a total loss event for the local trust boundary. #CodeDefence #Fortinet #FortiClient #CISA
/