CVE-2026-35616: Fortinet FortiClient EMS Zero-Day Now Actively Exploited — Urgent Action Required for Saudi Financial Institutions

A critical zero-day vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) — tracked as CVE-2026-35616 with a CVSS score of 9.1 — has been confirmed as actively exploited in the wild since at least March 31, 2026. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, with a remediation deadline of April 9 for all U.S. federal agencies. For Saudi financial institutions running Fortinet infrastructure, this is not a drill: an unauthenticated attacker who reaches your FortiClient EMS server can execute arbitrary commands and take full control of endpoint security management across your entire enterprise fleet.

What Is CVE-2026-35616 and Why Does It Matter?

CVE-2026-35616 is an improper access control flaw (CWE-284) in FortiClient EMS versions 7.4.5 and 7.4.6. The vulnerability exists in the API layer, where certain privileged endpoints fail to enforce authentication checks. An unauthenticated remote attacker can send a specifically crafted HTTP request to the EMS server, bypass authorization, and escalate to execute code or system commands with the privileges of the FortiClient EMS service account — which, in most enterprise deployments, runs with local administrator or SYSTEM-level rights.

The implications are severe: FortiClient EMS is the nerve center for managing endpoint security policies, VPN configurations, and compliance posture across every enrolled workstation and server in an organization. Compromising the EMS server means an adversary can silently disable endpoint protections, push malicious configurations, harvest VPN credentials, and establish persistent access — all without triggering the very alerts the platform is supposed to generate. Researchers at watchTowr first recorded exploitation attempts against honeypots on March 31, 2026, meaning attackers had working exploit code at least a week before Fortinet issued its hotfix.

Technical Breakdown: The Attack Chain

The root cause lies in how FortiClient EMS handles pre-authentication API requests. Specific REST API endpoints designated for internal service-to-service communication were inadvertently exposed externally without enforcing OAuth token validation. An attacker who can reach TCP port 8013 (the default EMS HTTPS management port) can craft a malformed request that triggers the EMS to process it as a trusted internal call. From there, the attacker can invoke administrative functions: creating rogue administrator accounts, modifying endpoint security profiles, or injecting scripts that the EMS will push to managed endpoints at the next policy synchronization cycle.

Security researchers at Defused Cyber (credited alongside Nguyen Duc Anh for discovering the flaw) published a technical write-up confirming that proof-of-concept code is circulating in private channels. A full patch is expected in FortiClient EMS 7.4.7, but Fortinet has released emergency hotfixes for versions 7.4.5 and 7.4.6 that must be applied immediately. This vulnerability follows closely on the heels of CVE-2026-21643, another CVSS 9.1 flaw in FortiClient EMS that came under active exploitation just weeks earlier — a pattern that suggests threat actors are specifically targeting the Fortinet EMS attack surface in coordinated campaigns.

Impact on Saudi Financial Institutions

Fortinet is among the most widely deployed security vendors across Saudi Arabia's banking and financial sector. SAMA-regulated entities — commercial banks, insurance companies, payment service providers — frequently rely on FortiClient EMS to enforce endpoint compliance as part of their SAMA Cyber Security Framework (CSCC) obligations, particularly under Domain 2 (Cybersecurity Leadership and Governance) and Domain 4 (Cybersecurity Operations and Technology). A successful compromise of FortiClient EMS in a bank environment does not just mean a single infected endpoint; it means an attacker who can manipulate the security posture of every managed device on the network simultaneously.

Under SAMA CSCC requirements, financial institutions must maintain a documented vulnerability management process with defined remediation SLAs tied to CVSS severity. A CVSS 9.1 vulnerability under active exploitation should trigger a Critical-severity response, with patching completed within 24 to 72 hours. Failure to act within the prescribed window not only exposes the institution to breach risk but also creates a documented compliance gap that examiners can cite during SAMA cyber maturity assessments. Additionally, NCA ECC Control 2-5-3 explicitly requires organizations to apply patches for actively exploited vulnerabilities on an emergency basis, bypassing standard change management cycles if necessary.

Recommended Remediation Steps

1. Apply the Fortinet hotfix immediately. Download and install the emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6 from the Fortinet support portal. Do not wait for the full 7.4.7 release. If your change management process requires emergency CAB approval, invoke your emergency change procedure now — SAMA CSCC and NCA ECC both recognize emergency patching provisions.
2. Restrict network access to the EMS management port. If your FortiClient EMS management interface (TCP 8013) is reachable from outside the internal management VLAN, implement firewall rules immediately to block external access. The EMS server should only be reachable from dedicated management workstations via a jump server.
3. Audit EMS administrator accounts. Pull the full list of FortiClient EMS administrator accounts and review for any accounts created after March 25, 2026. Threat actors exploiting this vulnerability have been observed creating rogue admin accounts as a persistence mechanism. Revoke any suspicious accounts and rotate all EMS service credentials.
4. Review endpoint policy changes and push history. Inspect the EMS audit logs for unauthorized policy modification events, especially any changes to endpoint security profiles, VPN configurations, or script deployment jobs initiated in the past 3 weeks. Correlate with your SIEM for lateral movement indicators on hosts that received policy updates during this window.
5. Conduct threat hunting on EMS-managed endpoints. Deploy IoC-based detection for the indicators published by watchTowr and Defused Cyber. Focus on endpoints that last synced with EMS during the March 31–April 7 exploitation window. Look for new scheduled tasks, modified startup entries, and outbound connections to unrecognized IPs from FortiClient processes.
6. Notify your CISO and document the response. Under SAMA CSCC, a Critical-severity incident involving actively exploited infrastructure components must be escalated to the CISO and documented in your incident register. If there is any evidence of successful exploitation, your organization's breach notification obligations under PDPL Article 27 and SAMA Cybersecurity Incident Reporting guidelines must be reviewed immediately.

Conclusion

CVE-2026-35616 is exactly the type of vulnerability that adversaries — whether nation-state actors, ransomware operators, or financially motivated groups — prioritize. A CVSS 9.1 pre-authentication RCE flaw in a centralized endpoint management platform is a single-shot path to compromising an entire enterprise environment. The fact that exploitation was recorded before a patch existed, and that a related Fortinet EMS vulnerability was exploited just weeks earlier, strongly suggests these vulnerabilities are being actively weaponized in campaigns targeting organizations with Fortinet deployments. For Saudi banks and financial institutions, the combination of regulatory exposure under SAMA CSCC and NCA ECC and the operational risk of a compromised EMS platform makes immediate action non-negotiable.

Is your Fortinet environment patched and verified? Contact Fyntralink for an emergency vulnerability assessment and SAMA-aligned remediation support. Our team can assist with patch validation, compromise assessment, and CISO-level incident documentation within 24 hours.