CVE-2026-35616: Fortinet FortiClient EMS Zero-Day Under Active Exploitation — A Direct Risk for Saudi Financial Endpoint Security

A critical zero-day in Fortinet's FortiClient Endpoint Management Server (EMS) — tracked as CVE-2026-35616 with a CVSS score of 9.1 — has been actively exploited since at least March 31, 2026. Unauthenticated attackers can bypass FortiClient EMS's entire authorization layer via crafted API requests, achieving remote code execution on the underlying server without a single valid credential. For Saudi financial institutions that deploy FortiClient EMS to manage endpoint VPN clients and enforce security posture, the exposure window has already been open for over two weeks.

What CVE-2026-35616 Actually Does

FortiClient EMS is the central management console for Fortinet's endpoint security suite — it governs FortiClient deployments, enforces compliance posture rules, and manages remote-access VPN profiles across the enterprise. The flaw, classified as CWE-284 (Improper Access Control), exists in the EMS REST API. An attacker who can reach the EMS management interface over the network can send specifically crafted HTTP requests that skip the authentication and authorization stack entirely, landing directly in privileged execution context on the server. There is no required user interaction, no prerequisite credentials, and no need to chain with another vulnerability.

Exploitation was first detected on watchTowr honeypots on March 31, 2026 — four days before Fortinet published its advisory. The gap between in-the-wild exploitation and vendor disclosure is a recurring characteristic of FortiClient vulnerabilities; CVE-2024-47575 (FortiJump) followed the same pattern in late 2024. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, setting a federal remediation deadline of April 9 — a deadline that has already passed.

Scope of Exposure: Versions 7.4.5 and 7.4.6

The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet released an out-of-band hotfix on April 4, 2026; a fully integrated patch will ship in version 7.4.7. Organizations running any earlier EMS branch (7.2.x and below) should consult Fortinet's PSIRT advisory directly, as those branches may carry different risk profiles. The issue does not affect FortiClient the endpoint agent itself — only the server-side EMS management platform.

Exposure surface in a typical Saudi financial institution can be significant. EMS servers are frequently deployed in on-premises data centers or private cloud environments and, in some configurations, are reachable from internal SOC or IT management VLANs. Where network segmentation is incomplete — a finding Fyntralink's assessment teams encounter regularly — the management interface may be accessible from broader corporate network segments, dramatically expanding the blast radius of a successful exploit.

Why This Matters Under SAMA CSCC and NCA ECC

SAMA's Cyber Security Framework (CSCC) Domain 4 (Cyber Security Operations) explicitly requires licensed financial entities to maintain a documented vulnerability management process with defined SLAs for critical findings. A CVSS 9.1 pre-authentication RCE — actively exploited and listed on CISA KEV — classifies as a Critical finding under virtually any scoring methodology, triggering the shortest remediation SLA in any compliant programme. Failure to apply the Fortinet hotfix within that SLA window creates a direct compliance gap that SAMA inspectors can surface during the annual Cyber Security Assessment.

NCA's Essential Cybersecurity Controls (ECC) carry an equivalent obligation under control ECC-2-1 (Vulnerability and Patch Management): organizations must assess, prioritize, and remediate vulnerabilities in a manner proportionate to their severity and exploitability. A zero-day already catalogued by CISA and actively exploited in honeypots satisfies every criterion for immediate action. Organizations subject to both SAMA CSCC and NCA ECC — which includes every Saudi bank, insurance company, and finance firm — face a dual compliance obligation that cannot be deferred.

Immediate Recommendations for Saudi Financial Security Teams

1. Identify all FortiClient EMS instances. Query your CMDB and Fortinet FortiManager inventory for EMS deployments running versions 7.4.5 or 7.4.6. Include disaster-recovery and staging instances — these are often patched last and exploited first.
2. Apply the Fortinet hotfix immediately. Fortinet's out-of-band hotfix for 7.4.5 and 7.4.6 is available via the Fortinet Support portal. Validate the build version post-patch and document the remediation timestamp for your SAMA CSCC audit trail.
3. Restrict network access to the EMS management interface. If patching requires a maintenance window, implement compensating controls now: firewall rules restricting EMS API access (default TCP 8013 and 443) to dedicated management jump hosts only. Zero-trust microsegmentation tools such as Illumio or Guardicore can enforce this granularly without full firewall ruleset changes.
4. Review EMS logs for exploitation indicators. Look for anomalous API calls to EMS endpoints (particularly /api/v1/ paths) from unexpected source IPs, unusual process spawning from the EMS service account, and new scheduled tasks or services created on the EMS host. Threat intelligence feeds from Recorded Future and Mandiant have begun publishing IoCs tied to early CVE-2026-35616 exploitation clusters.
5. Assess lateral movement risk. FortiClient EMS holds configuration data, VPN profile secrets, and endpoint compliance records. Assume that a successful exploit may expose credentials stored within EMS and audit connected systems — FortiAnalyzer, FortiManager, Active Directory service accounts — for unauthorized access.
6. Document the incident response lifecycle. Even if your organization was not breached, SAMA CSCC requires evidence that the vulnerability was identified, risk-assessed, and remediated within policy SLAs. Create a dated incident ticket covering discovery, risk rating, compensating controls applied, patch deployment, and validation scan results.

Conclusion

CVE-2026-35616 is not a hypothetical risk sitting in a quarterly patch cycle — it is an actively weaponized pre-authentication RCE in a product that sits at the heart of endpoint security management for hundreds of enterprises globally. Saudi financial institutions that depend on FortiClient EMS have a narrow window to remediate before threat actors with a specific interest in the Gulf financial sector begin targeting the region. The combination of a CVSS 9.1 score, confirmed in-the-wild exploitation, and CISA KEV listing means this vulnerability satisfies every threshold for emergency response under both SAMA CSCC and NCA ECC.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and find out where your patch management programme stands against the latest threat landscape.