Fortinet CVE-2026-35616: Two Critical FortiClient EMS Flaws in Weeks – What It Means for DACH IT Teams
7 Min. Reading time
Fortinet patched two critical vulnerabilities in FortiClient EMS within three weeks. CVE-2026-35616 with a CVSS score of 9.1 enables pre‑authenticated remote code execution – Shadowserver honeypot data shows active exploit attempts since March 31 2026. The pattern is clear: FortiClient EMS is structurally exposed and patch cadence alone is no longer sufficient.
Key Takeaways
- Two critical patches in three weeks. CVE-2026-35616 (CVSS 9.1, pre‑auth RCE) and a follow‑up advisory for a privilege‑escalation vector in FortiClient EMS – this is not an isolated incident but a pattern.
- CISA KEV listing on April 2 2026. U.S. federal agencies have a 7‑day patch deadline. DACH IT teams without similar governance must set their own deadline.
- Exploit pattern active since March 31. Shadowserver and GreyNoise record probe traffic against exposed FortiClient EMS installations. Running EMS without network segmentation leaves you directly exposed.
- Patch alone is not enough. JDBC injection as an attack vector in FortiClient EMS means unauthenticated users can execute SQL queries. Network access control on the EMS port is a critical immediate measure.
What is FortiClient EMS? FortiClient EMS (Endpoint Management Server) is Fortinet’s central management platform for the FortiClient agent on endpoints. EMS controls compliance policies, VPN configurations and security‑posture assessments for all managed endpoints in the network – making it a high‑privilege target for attackers.
RelatedSource‑Code Breaches: When the Security Vendor Is Compromised Before the Patch / CVE‑2026‑3854: GitHub Enterprise RCE – 88 % Unpatched
What Sets CVE-2026-35616 Apart from Earlier FortiClient Vulnerabilities
FortiClient EMS has a documented history of flaws. CVE-2023-48788 was an SQL‑injection bug with a CVSS of 9.8 that was massively exploited in 2024 and landed on the CISA KEV list. The pattern repeats: JDBC‑based injection, pre‑auth access, critical CVSS score.
CVE-2026-35616 uses the same attack vector as its predecessor – JDBC database access without prior authentication. According to Fortinet’s advisory of 29 March 2026, an unauthenticated attacker can execute SQL code on the EMS database via crafted HTTP requests. The direct consequence: system‑level access to the EMS server with database privileges.
What distinguishes this incident from the 2023 case: the window between patch release and honeypot activity was shorter this time. Shadowserver logged the first exploit attempts against CVE-2026-35616 on 31 March 2026 – just two days after the advisory. For CVE-2023-48788 it took roughly two weeks before the first large‑scale exploitation.
Risk Metrics
CVSS 9.1
Critical score for CVE-2026-35616, pre‑auth RCE via JDBC injection
2 Days
From advisory to first honeypot exploit attempts (Shadowserver)
7 Days
Patch deadline for US federal agencies after CISA KEV listing on 2 April 2026
Why FortiClient EMS Is Structurally Exposed
FortiClient EMS is, by design, a high‑privilege system. It knows every managed endpoint, their compliance status, VPN connections and security policies. When an attacker compromises EMS, they don’t just gain a server – they obtain a map of the entire endpoint inventory and a lever to manipulate security policies.
The real issue lies in deployment practices: many DACH companies run FortiClient EMS without strict network segmentation – often with direct access from the internal network or, worse, from DMZ segments. Yet EMS is an administration platform that should never be reachable directly from the user LAN.
“Every second FortiClient‑EMS deployment we see in penetration tests has the management port directly reachable from the internal network. That’s a design flaw, not a configuration mistake.”
– Alec Chizhik, securitytoday.de
The Patch and Hardening Checklist for DACH Teams
Patch status first – but patching alone does not solve the structural issue. A combined action list:
- Immediate action: Check EMS version. Affected are FortiClient EMS versions 7.4.0 through 7.4.1 and 7.2.0 through 7.2.7. The fix is included in 7.4.2 and 7.2.8. Version check: diagnose sys version in the EMS‑CLI.
- Restrict network access. EMS port 443 should be reachable only from a dedicated management segment – not from the general user LAN. Verify the firewall rule and adjust if necessary.
- Exposure check: Is EMS reachable from the Internet? Query Shodan or FOFA for your external IP. Publicly accessible EMS instances are an immediate priority.
- Log review for exploit attempts. Fortinet’s IOC list for CVE‑2026‑35616 contains specific HTTP‑request patterns. Search your SIEM for these patterns over the past 30 days.
- Plan a two‑patch cadence. Fortinet released two Critical Advisories within three weeks. Anyone operating EMS should define a dedicated patch track with a maximum 72‑hour response time for Fortinet criticals.
After patching completed
- RCE vector CVE‑2026‑35616 closed
- Privilege‑escalation patch (Advisory 2) applied
- Fortinet support status for the version confirmed
- Patch documentation created for audit trail
Structurally still open
- Network segmentation for EMS port not yet implemented?
- Log review for exploit attempts before patch date
- Incident‑response plan for compromised EMS instance missing
- No dedicated patch SLA for Fortinet criticals defined
What This Pattern Means for DACH IT Teams
Fortinet is not an isolated case. Check Point, Palo Alto, Ivanti, SonicWall – all major security vendors have released critical vulnerabilities in their management platforms over the past 18 months, and they have been actively exploited. The pattern is consistent: management software as an attack surface.
The strategic consequence: security‑management software must be treated with the same hardening standards as privileged Active‑Directory components. That means: management ports not reachable from the user LAN, a dedicated patch track, daily log monitoring for anomalies.
Anyone who has not yet applied these basic principles across all security‑management platforms should use the current Fortinet CVE wave as a trigger for a management‑surface hardening project – not as a one‑off patch event.
Sources: Fortinet PSIRT Advisory CVE‑2026‑35616 (29 March 2026) | CISA KEV (2 April 2026) | Shadowserver Foundation Exploit Telemetry
Frequently Asked Questions
Which FortiClient EMS versions are affected by CVE‑2026‑35616?
Affected are FortiClient EMS 7.4.0 through 7.4.1 and 7.2.0 through 7.2.7. The patched versions are 7.4.2 (fixes the 7.4.x branch) and 7.2.8 (fixes the 7.2.x branch). Older versions should, according to Fortinet’s upgrade‑path documentation, first be moved to the current minor branch.
How can I tell if my EMS instance has already been compromised?
Fortinet’s PSIRT advisory includes specific Indicators of Compromise (IOC). Search the EMS web‑server log for unusual HTTP‑POST requests to database‑access paths. Additionally, new local administrator accounts or unknown scheduled tasks on the EMS host are signs of post‑exploitation activity.
Do I have to shut down EMS until the patch is applied?
If EMS is not reachable from the Internet and access is limited to a dedicated management segment, a temporary shutdown is not mandatory – network isolation reduces the risk significantly. For EMS with Internet access: set up an immediate firewall block and apply the patch as soon as possible.
Does the CISA patch deadline also apply to European companies?
No, the CISA KEV patch deadline of 7 days applies only to U.S. federal agencies. It is, however, a useful benchmark: if U.S. agencies consider 7 days acceptable, that should be the maximum for DACH companies with a comparable compliance level, not a target.
What if we use FortiClient EMS as a cloud service?
Fortinet’s cloud‑managed variant (FortiCloud EMS) is patched by Fortinet. Verify whether the instance is truly cloud‑managed – many organizations run a “cloud” that is actually a self‑managed VM in their own cloud environment. In that case, all self‑managed patch responsibilities apply.
Network
Alec Chizhik writes for SecurityToday about vulnerability analysis, exploit telemetry, and operational security decisions for DACH IT teams. More at securitytoday.de
Source cover image: Pexels / Amar Preciado (px:19761838)
