Fortinet has disclosed CVE-2026-35616, a critical security issue in FortiClient EMS that affects versions 7.4.5 and 7.4.6. The core problem is an improper access control flaw in the API, and both Fortinet and NVD describe it as a bug that may let an unauthenticated attacker send crafted requests and execute unauthorized code or commands.
That combination makes this a serious defensive issue. The public CVSS vector attached to the CVE is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which means the attack is remotely reachable over the network, does not require prior access, and can have high impact on confidentiality, integrity, and availability. NVD currently shows the Fortinet CNA score as 9.8 Critical, while Fortinet's own advisory page currently lists CVSS 9.1, so the exact number is not perfectly aligned yet, but the severity is clearly in the critical range either way.
What the Vulnerability Is
The official Fortinet advisory calls this issue an "API authentication and authorization bypass." That wording is more revealing than the generic CWE label by itself. In plain English, it suggests the EMS API may fail to properly verify who is allowed to access certain functionality, opening the door for a remote party to reach protected operations without valid authentication.
NVD phrases the impact a bit more bluntly: an unauthenticated attacker may be able to execute unauthorized code or commands via crafted requests. That is why this bug stands out from ordinary web admin issues. This is not just a visibility problem or a minor permissions mistake. It is the kind of vulnerability that can lead directly to server compromise if a vulnerable system is exposed and not patched.
Which Versions Are Affected
Based on Fortinet's advisory, the affected range is narrow but important:
- FortiClient EMS 7.4.5 through 7.4.6 are affected
- FortiClient EMS 7.2 is not affected
- FortiClient EMS 7.4.7 is expected to include a fix, and Fortinet says the available hotfixes for 7.4.5 and 7.4.6 are sufficient in the meantime
That means this is not a case where every recent branch is in scope. It is specifically a problem for organizations running the affected 7.4.x builds.
Why Defenders Should Pay Attention
This vulnerability affects FortiClient EMS, which is a management platform. That matters because management systems are usually more sensitive than ordinary application servers. They often sit in a trusted administrative role, hold privileged workflows, and can become a central foothold if compromised. That makes a remotely reachable, unauthenticated API flaw much more dangerous in practice than the same bug might be in a lower-value system. This is an inference based on the product's administrative role and the attack characteristics Fortinet and NVD describe.
The other reason this deserves immediate attention is that Fortinet says it has observed the issue being exploited in the wild and urges customers to install the hotfix for the affected versions. That pushes the issue out of the "theoretical risk" category and into live operational risk.
A Note on the Public Data
There are a couple of inconsistencies in the public record right now.
First, NVD shows the Fortinet CNA score as 9.8, while the vendor advisory page displays 9.1. Second, Fortinet's advisory summary says the issue has been exploited in the wild, but the metadata block on the same page still shows "Known Exploited: No." These mismatches are not unusual in the first day or two after publication, especially when vendor and database entries are being updated on slightly different timelines. The safe approach is not to get hung up on the decimal score or the field mismatch. The risk profile is already clear enough to justify urgent action.
Who Discovered It
Fortinet's acknowledgment section credits Simo Kohonen from Defused and Nguyen Duc Anh with reporting the vulnerability under responsible disclosure. That part is confirmed by the vendor.
What is not confirmed in the advisory is the exact discovery method. There is enough public information to say the bug was reported by Defused and Nguyen Duc Anh, but not enough in the official sources to state as fact that it was specifically found through honeypots or a particular telemetry pipeline. That may turn out to be true, but the public advisory does not currently document it.
What Organizations Should Do Now
If your environment uses FortiClient EMS, the first priority is simple: find out whether you are running 7.4.5 or 7.4.6. If you are, apply Fortinet's hotfix immediately or move to 7.4.7 or later as your change process allows. Fortinet links directly to release note instructions for the hotfixes covering both affected builds.
Beyond patching, there are a few practical defensive steps worth taking.
1. Reduce Exposure Where Possible
Because the attack is unauthenticated and network reachable, any unnecessary exposure of EMS interfaces should be reduced while patching is underway. Restricting access paths, limiting public exposure, and tightening administrative reachability are sensible short-term risk-reduction steps based on the attack vector Fortinet and NVD describe.
2. Review Logs for Suspicious API Activity
The public advisory does not currently provide a rich set of indicators of compromise, but defenders should still review EMS logs, reverse proxy logs, and endpoint telemetry for unusual API requests, unexplained administrative actions, or server-side process execution tied to the EMS host. Fortinet's statement about observed exploitation is enough reason to include compromise assessment in the response plan.
3. Check for Downstream Administrative Impact
Because EMS is a management component, the investigation should not stop at the server itself. Teams should also check whether any related policies, administrative settings, or integrated workflows were modified unexpectedly. This recommendation is a defensive inference based on the administrative role of the platform and the possibility of code or command execution described in the advisory.
The Bigger Lesson
CVE-2026-35616 is a good reminder that access control bugs in management APIs are rarely "just another web vuln." When the vulnerable service sits at the center of administration, the impact can be much larger than the initial bug description suggests. In this case, the public facts are enough to tell a clear story: the issue is remote, unauthenticated, critical, tied to the EMS API, and serious enough that Fortinet has already released hotfix guidance and warned about exploitation.
Final Takeaway
For defenders, the message is straightforward. If you run FortiClient EMS 7.4.5 or 7.4.6, treat CVE-2026-35616 as an urgent patching priority. Apply the vendor hotfix, reduce exposure until remediation is complete, and review the environment for suspicious API or command activity. Even though some public metadata is still a little inconsistent, the important part is not ambiguous: this is a critical remote vulnerability in a management product, and waiting is the wrong bet.
Sources: - https://fortiguard.fortinet.com/psirt/FG-IR-26-099 - https://nvd.nist.gov/vuln/detail/CVE-2026-35616