Honestly, you'd think in 2026 we'd have figured out how not to let unauthenticated randos execute arbitrary code on enterprise networks. Yet here we are: Fortinet, a big dog in the security appliance business, just patched a critical flaw—CVE-2026-35616—in its widely deployed FortiClient Endpoint Management Server (EMS). Turns out, if you're running version 7.4.5 or 7.4.6, someone could stroll right past your API's authentication like they're skipping the line at a bad nightclub, then get to work running code or, worse, taking your data for a ride.
What Went Wrong This Time?
If you like your infrastructure secure, it's not a fun read. Researchers Simo Kohonen (Defused Cyber) and Nguyen Duc Anh flagged a big problem: the API behind FortiClient EMS didn't do a decent job checking who was knocking at the door. Improper access control meant attackers—without so much as a password—could send cleverly crafted requests and get straight to command execution. That means full system compromise, permissions be damned. No secret decoder ring required.
Fortinet didn't drag its feet after the disclosure—the company put out hotfixes and plans a proper fix in version 7.4.7. But here's the kicker: this flaw wasn't quietly lurking in some corner. It was being actively exploited in the wild before some poor sysadmins even had their coffee.
How Does a 9.1 Out of 10 Happen?
That CVSS score tells you all you need to know: this bug is severe. A 9.1 rating means attackers don't need credentials, insiders, or luck. Just internet access. The vulnerability sits squarely in the API's authentication and authorization logic, so by bypassing it, intruders can run anything they like, nab any data they want, and potentially pivot deeper into your network. It's not just something to worry about; it's something you have to drop everything and fix—yesterday.
If You're Running 7.4.5 or 7.4.6, Good Luck
Organizations love "endpoint management" because it promises control: patch deployment, remote troubleshooting, and, if you're ambitious, some peace of mind. Fortinet’s FortiClient EMS should be the central nervous system for all your FortiClients, so you'd expect bulletproof security. Instead, if you're on 7.4.5 or 7.4.6, you're now fielding phone calls from executives asking if you’ve been breached yet.
- FortiClient EMS 7.4.5 & 7.4.6: Both confirmed vulnerable. Hotfixes out now.
- FortiClient EMS 7.2: Not impacted. (Congratulations to the "slow to upgrade" crowd. This time, your procrastination paid off.)
- Upcoming 7.4.7: Promises a real fix. Mark your patch schedules.
Why Do Security Vendors Keep Fumbling the Basics?
There's an old joke in security: authentication and authorization are hard. But it's getting pretty tired. When a company with "security" in its name can't reliably block unauthenticated access to management APIs, you wonder what kind of quality assurance process is actually happening inside the vendor's walls. Or, maybe, how much pressure dev teams feel to push out features over boring stuff like access control.
You, the customer, pay for software and appliances that are supposed to defend you. More and more, it feels like you're just waiting for the next patch panic cycle. The industry’s dirty secret is that, while attackers are imaginative, defenders are often just stuck cleaning up after preventable mistakes and missing the forest for the trees.
Active Exploitation: Threats Move Faster Than Patch Notes
Fortinet says this vulnerability was already being exploited. Somewhere, right now, an organization is finding out the hard way what "arbitrary code execution" translates to in terms of ransom or data loss. If you rely on FortiClient EMS and haven't patched, you're probably already scanning logs and wondering what slipped by.
Let's not kid ourselves: when a zero-day goes public, it's nearly a race between attackers updating their scripts and IT teams racing through patch management. The gap? That's your risk window. And for shops with change freezes, compliance red tape, or too many endpoints to count, closing that window isn't always as simple as “just patch.”
So, What Should You Actually Do?
Fortinet’s advice is the stuff you expect, but that doesn’t mean people actually do it. In a perfect world, organizations would:
- Apply the hotfix—immediately.
- Plan for an upgrade to 7.4.7 when it drops (and pray it doesn't introduce new surprises).
- Restrict exposure: Don’t let the EMS management interface sit on open networks for anyone to ping. Think segmentation, firewalls, VPNs, and, if your vendor finally supports it, two-factor authentication on the interface.
- Monitor logs: Hunt for suspicious API activity, failed requests, and strange command executions. Assume you’ve been poked and prod until proven otherwise.
Most disturbingly, there are still organizations who’ll put off those patches for weeks. Maybe they're busy, maybe they're risk-tolerant, or maybe they're understaffed and drowning in alerts. Either way, attackers know there’s always a laggard out there.
Patch Fatigue and the Risks of Trusting Brands
There are only so many urgent vulnerabilities a team can drop everything for before burnout sets in. Fortinet’s flaw is a stark reminder that no security vendor is immune—not even the ones with billions in R&D or shiny cybersecurity awards. A single misstep in authentication and suddenly, the “secure” product is an open door. Does this mean every shop should write its own code? Of course not. But blindly trusting brand name vendors isn’t risk management—it’s a wish and a prayer.
As a sorry bonus, this kind of breach feels almost inevitable when most enterprise environments are a soup of legacy tech, rushed upgrades, and patch-driven fire drills. So what’s left? Relentless vigilance. Constant upgrade cycles, no matter how much pain they cause. And a healthy dose of skepticism whether your gear comes from a big-name or a boutique specialist.
If you’re using FortiClient EMS and haven’t patched yet, maybe this will be your wake-up. For the rest of us, it’s just another reminder that every "critical update" is a reminder that the only constant in security is disappointment—and the next patch is already waiting in your inbox.
