CVE-2026-35616 is a critical remote code execution (RCE) vulnerability (CVSS 9.8) affecting Fortinet FortiClient Endpoint Management Server (EMS). The flaw is caused by improper access control (CWE-284) in the application’s API.

Due to insufficient authentication enforcement, the system fails to properly restrict access to sensitive API endpoints. This allows attackers to send crafted requests that bypass authentication and execute unauthorized commands.

The following version affected;

• Fortinet FortiClient EMS
• Specifically, versions:
• 7.4.5
• 7.4.6

Typical exploitation flow:

1. Target discovery

• Attackers scan for exposed FortiClient EMS servers.

2. Crafted API request

• A specially crafted HTTP request is sent to vulnerable API endpoints.

3. Authentication bypass

• Improper access control allows the request to bypass authentication mechanisms.

4. Execution of malicious commands

• The attacker executes arbitrary commands or code on the EMS server.

5. Post-exploitation

• Attackers may:

   Gain administrative control

   Deploy malware or ransomware

   Move laterally across managed endpoints

This vulnerability requires:

• No authentication
• No user interaction
• Low attack complexity

CERTVU recommends the following:

1. Apply Security Updates Immediately

• Install Fortinet security updates / hotfixes addressing the vulnerability.
• Follow Fortinet advisory FG-IR-26-099.

2. Restrict Network Exposure

• Do not expose EMS management interfaces to the internet.

3. Monitor for Indicators of Compromise (IoCs)