FortiClient EMS Zero-Day CVE-2026-35616: Pre-Auth API Bypass Hits Endpoint Management at Scale

Fortinet's FortiClient Enterprise Management Server (EMS) — the platform that pushes security policies, patches, and configurations to every managed endpoint — carried a pre-authentication API bypass that attackers exploited as a zero-day weeks before a patch existed. Tracked as CVE-2026-35616 with a CVSS score of 9.1, the flaw hands unauthenticated attackers the ability to execute arbitrary commands on the management server itself, turning an organization's endpoint security backbone into its single largest attack surface.

How CVE-2026-35616 Works: Anatomy of the API Bypass

The vulnerability resides in an improper access control mechanism within the FortiClient EMS API layer. Affected versions — 7.4.5 and 7.4.6 — fail to enforce authentication and authorization checks on specific API endpoints. An attacker who can reach the EMS instance over the network can craft HTTP requests that bypass authentication entirely, gaining direct command execution on the server without valid credentials.

What makes this flaw particularly dangerous is the asset it compromises. FortiClient EMS is not a peripheral appliance; it is the centralized console that manages endpoint agents across an entire fleet. Gaining control of EMS means an attacker can push malicious configurations, disable endpoint protections, deploy payloads to thousands of machines simultaneously, or silently exfiltrate telemetry data that maps the organization's internal network topology.

Defused Cyber recorded the first confirmed exploitation attempts on March 31, 2026 — over the Easter holiday weekend — four days before Fortinet published its advisory on April 4. That four-day zero-day window gave threat actors a head start against organizations that had no patch, no workaround, and no public indicator of compromise to hunt for.

The Back-to-Back Critical Chain: From CVE-2026-21643 to CVE-2026-35616

The timeline makes this situation uniquely painful. CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS 7.4.4, was actively exploited from March 26 onward. Organizations that followed best practice and upgraded immediately to version 7.4.5 unknowingly traded one critical zero-day for another. The upgrade path itself introduced CVE-2026-35616, creating a back-to-back critical vulnerability chain across consecutive releases.

This chain undermines a core assumption in vulnerability management: that patching to the latest version resolves the risk. In this case, the latest version was the risk. Attackers who tracked Fortinet's release cadence could anticipate that freshly patched environments would be running 7.4.5 or 7.4.6, and target them accordingly.

The Shadowserver Foundation identified over 2,000 publicly accessible FortiClient EMS instances worldwide, with at least two confirmed as actively compromised at the time of disclosure. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, requiring U.S. federal agencies to apply fixes by April 9 — one of the shortest remediation windows CISA has ever mandated.

Why This Matters for SAMA-Regulated Financial Institutions

Fortinet appliances and endpoint management platforms are deeply embedded in Saudi banking infrastructure. Many SAMA-regulated institutions rely on FortiClient EMS to enforce endpoint compliance, manage VPN configurations, and maintain visibility across branch networks. A compromise of EMS does not just affect one server; it cascades across every endpoint under management.

SAMA's Cyber Security Common Controls (CSCC) framework requires institutions to maintain secure configuration management (Section 3.3), implement robust vulnerability management processes (Section 3.4), and ensure continuous monitoring of endpoint security posture (Section 3.7). A pre-authentication bypass in the very platform responsible for enforcing these controls creates a compliance gap that auditors will flag — and that attackers have already demonstrated they can exploit.

The NCA Essential Cybersecurity Controls (ECC) compound the risk. ECC-2:3 mandates secure management of cybersecurity tools and platforms, while ECC-2:5 requires timely patching of critical vulnerabilities. The back-to-back nature of CVE-2026-21643 and CVE-2026-35616 means institutions that documented their patching of the first CVE may have inadvertently introduced the second, creating an audit trail that shows compliance effort but not actual risk reduction.

Observed Attack Patterns and Post-Exploitation Behavior

Threat intelligence from multiple sources indicates that attackers exploiting CVE-2026-35616 followed a consistent post-exploitation playbook. After gaining command execution on the EMS server, attackers harvested stored credentials and endpoint telemetry data to map internal network segments. In at least one confirmed case, attackers leveraged EMS management capabilities to push modified endpoint configurations that weakened local firewall rules and disabled specific detection modules.

The SQL injection predecessor, CVE-2026-21643, was linked to attacks where adversaries hijacked endpoint management infrastructure to push malicious updates to managed devices and pivot deeper into cloud-connected systems. Security researchers noted that this pattern aligns with tactics used by advanced persistent threat groups conducting espionage operations, as well as ransomware operators seeking maximum lateral movement before encryption deployment.

Remediation Steps and Defensive Recommendations

1. Apply emergency hotfixes immediately. Fortinet released hotfix builds 7.4.5.2111 and 7.4.6.2170. Apply the appropriate hotfix for your current version without waiting for the full 7.4.7 release. Verify patch application by checking the build number in the EMS administration console.
2. Restrict network access to EMS. FortiClient EMS management interfaces must never be exposed to the public internet. Place EMS behind network segmentation with access restricted to authorized administrator IP ranges only. Review firewall rules to confirm no unintended exposure exists.
3. Audit EMS activity logs for indicators of compromise. Review API access logs from March 28 onward for unauthenticated requests to management API endpoints. Look for unusual endpoint policy changes, new administrator accounts, or bulk configuration pushes that were not initiated by your team.
4. Rotate all credentials stored in or accessible through EMS. This includes service accounts, LDAP bind credentials, VPN pre-shared keys, and any API tokens configured within the platform. Assume credential exposure until forensic analysis confirms otherwise.
5. Validate endpoint integrity. Cross-reference current endpoint configurations against your documented baseline. Any deviation — disabled modules, modified firewall rules, new scheduled tasks — should be treated as potentially malicious and investigated before being restored.
6. Update your vulnerability management process. Document this incident as a case study for your SAMA CSCC vulnerability management program. The back-to-back critical chain demonstrates that version-based patching alone is insufficient; organizations must also monitor vendor advisories between patch cycles and maintain rollback capabilities.

Conclusion

CVE-2026-35616 is not just another Fortinet vulnerability — it is a direct compromise of the trust model that endpoint management platforms depend on. When the system responsible for enforcing security policy becomes the attack vector, every endpoint it manages inherits the risk. The back-to-back chain with CVE-2026-21643 adds an operational lesson: upgrading to the latest version is necessary but not sufficient. Institutions must validate each release against emerging advisories, restrict management plane exposure, and maintain forensic readiness for zero-day scenarios.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your endpoint management infrastructure security posture.