Attackers have significantly ramped up exploitation of a critical zero-day vulnerability in endpoint management infrastructure. This improper access control flaw provides an unauthenticated path to execute code with administrative privileges on the server managing your entire endpoint fleet.
CVE-2026-35616 affects @[Fortinet](urn:li:organization:15197) FortiClient Enterprise Management Server ❨EMS❩. Despite the availability of an emergency hotfix released over the holiday weekend‚ nearly 2,000 instances remain publicly exposed. Attackers are currently probing these instances to bypass API authentication and deploy secondary payloads. CISA added this flaw to the KEV catalog earlier this week‚ mandating urgent remediation.
Holiday weekends are a preferred window for threat actors because they exploit the operational gap created by reduced security staffing. The delay in deploying hotfixes for perimeter management software allows attackers to establish persistent backdoors that remain hidden long after the holiday shift concludes.
– Apply the @[Fortinet](urn:li:organization:15197) emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately.
– Strictly restrict all access to the EMS management interface to authorized administrative IP ranges or an OOB network.
– Conduct a retroactive audit of EMS server logs for anomalous API requests or unauthorized account creation.
– Utilize EDR to monitor for unusual child processes spawned by the FortiClient EMS service on the management host.
The integrity of the endpoint is only as strong as the security of the server that manages its policies. #CodeDefence #Fortinet #CISA #EndpointSecurity
/