A critical cybersecurity vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) is currently being exploited in real-world attacks, triggering global concern among security professionals. The flaw, tracked as CVE-2026-35616, carries a high severity score of 9.1 and allows attackers to bypass authentication mechanisms and execute unauthorized commands remotely.
According to security observations, this vulnerability is not just theoretical—it is actively being weaponized by threat actors. Attackers are targeting exposed FortiClient EMS systems across multiple industries, with a particular focus on high-value sectors such as government networks, healthcare infrastructure, and cryptocurrency platforms.
Vulnerability Breakdown
The core issue lies in improper access control within the FortiClient EMS API. This flaw allows attackers to send specially crafted requests to the system without needing valid login credentials. As a result, they can bypass authentication entirely and gain elevated access to the system.
Once inside, attackers can execute malicious commands, deploy backdoors, or move laterally across the network. This type of access is especially dangerous in enterprise environments, where a single compromised system can lead to widespread damage.
Active Exploitation in the Wild
Security researchers have confirmed that exploitation attempts began around late March 2026, with increased activity observed in the following days. Reports indicate that attackers were able to identify and target vulnerable systems quickly, suggesting automated scanning and exploitation tools are already in use.
The situation is further complicated by the timing of these attacks. Experts note that cybercriminals often launch campaigns during weekends or holidays, when security teams may be understaffed. This increases the likelihood of successful breaches and delays in detection.
Impact on Critical Industries
Government Networks
Government systems are among the primary targets due to the sensitive nature of their data. Successful exploitation could lead to unauthorized access to confidential information, surveillance operations, or disruption of essential services.
Healthcare Systems
Healthcare organizations face significant risks, as many rely on continuous system availability. A successful attack could expose patient data or disrupt medical services, potentially impacting patient safety.
Cryptocurrency Platforms
Crypto-related organizations are highly attractive targets due to direct financial incentives. Attackers may attempt to access wallets, manipulate transactions, or compromise exchange infrastructure.
Multiple Vulnerabilities Raise Alarm
This is the second critical vulnerability affecting FortiClient EMS in recent weeks. Another flaw, CVE-2026-21643, was also reported and exploited earlier, raising concerns about a broader security gap.
The presence of multiple high-severity vulnerabilities in a short period suggests that attackers may attempt to chain exploits together, increasing the potential impact of attacks.
Affected Systems
The vulnerability impacts FortiClient EMS versions:
- 7.4.5
- 7.4.6
Organizations using these versions, especially those with internet-exposed systems, are at the highest risk.
Recommended Mitigation Steps
Cybersecurity experts strongly recommend immediate action:
- Apply the official hotfix released by Fortinet
- Upgrade to the latest secure version (7.4.7) once available
- Restrict external access to EMS servers
- Monitor logs for suspicious API activity
- Conduct internal security audits
Delaying these actions could significantly increase the risk of compromise.
Why This Threat Matters
This vulnerability is particularly dangerous due to its combination of factors:
- No authentication required
- Remote command execution capability
- Active exploitation already confirmed
- High-value enterprise targets
Such vulnerabilities are often exploited rapidly, leaving organizations with minimal response time.
Cybersecurity Outlook
The ongoing exploitation of Fortinet vulnerabilities highlights a growing trend in cyberattacks targeting enterprise security tools themselves. As organizations rely heavily on centralized management systems, attackers are increasingly focusing on these high-impact entry points.
The rise of API-based attacks and zero-day exploitation indicates that cybersecurity strategies must evolve quickly to address these emerging threats.
Conclusion
The active exploitation of CVE-2026-35616 serves as a critical reminder of the importance of timely patching and proactive security measures. Organizations using FortiClient EMS must treat this as an urgent security incident and act immediately to protect their infrastructure.
With attackers already ahead in the exploitation cycle, rapid response is essential to prevent widespread damage and data breaches.