Critical alert: CVE-2026-35616 in FortiClient EMS allows to evade authentication and exposes more than 2,000 servers

The threat came quickly and urgently: a critical vulnerability in FortiClient Enterprise Management Server (EMS), identified as CVE-2026-35616 It has forced the US authorities to order immediate action and has turned on alarms among security teams around the world. This is a failure that allows, according to the researchers who discovered it, to completely avoid authentication and authorization controls by specially designed requests, which opens the door to the execution of commands or code without the need for credentials.

Fortinet reacted by releasing emergency corrections over the weekend and warned that vulnerability is the result of a poor configuration in the access control of his API. The company also warned that malicious actors were already taking advantage of the failure in active attacks, and recommended installing the hotfixes available for the affected versions - branches 7.4.5 and 7.4.6 - or updating to version 7.4.7 when it is published.

The gravity of the problem led to the Cybersecurity and Infrastructure Security Agency (CISA) to include vulnerability in its A catalogue of known and exploited vulnerabilities (KEV) and to issue a binding order for federal agencies, demanding that all FortiClient EMS bodies be secured before the deadline indicated under the Binding Operational Directive 22-01. Although this directive formally applies to U.S. federal government entities, CISA urged all public and private organizations to prioritize the correction of the ruling.

The context makes the scenario even more worrying: the Shadowserver surveillance group maintains a public counter of FortiClient EMS instances accessible from the Internet and, according to its panel, there are close to 2,000 exposed EMS servers with more than 1,400 IP addresses located in the United States and Europe. This level of public exposure increases the risk of massive commitments, and the complicated thing is that there is no reliable public measurement of how many of these instances have already applied the patch.

Why is a failure in EMS particularly delicate? An endpoints management server centralizes policies, deployments and controls on FortiClient customers deployed in a network. Compromise that point means being able to pivote, deploy malware through the management infrastructure or disable security controls on multiple teams simultaneously. In other words, it is a high-value target for espionage and ransomware attacks.

Fortinet has asked its customers to install the hotfixes for the affected versions as soon as possible and, when the stable and corrected version (7.4.7) is available, to adopt it as a final route. In parallel, the CISA recommendation includes applying the supplier's mitigation, considering the suspension of the product if there are no possible mitigation and following the BOD 22-01 guidelines for cloud services. These indications are not merely formal: in practice they involve changing the exposure of servers, hardening access and reviewing audits and records in search of suspicious activity.

This episode is not isolated in the recent history of Fortinet. In the previous months the company published patches for other critical failures in its products, some of which were also reported as being exploited in real environments. This recurrence has turned certain Fortinet product families into preferred targets for sophisticated campaigns; therefore, each new vulnerability requires a rapid and coordinated response.

For an IT or security manager, the response window is narrow. In addition to applying the official hotfix or the recommended update, there are practical measures that can reduce the risk of operation while the patch is completed: restrict access to the EMS through access control lists and VPNs, move the management console out of direct access from the Internet, activate detailed registration and monitoring of unusual connections, and prepare response plans that include system isolation and integrity verification after remediation. It is also prudent to review administrative accounts, credentials and keys that may have been compromised and to rotate them where appropriate.

The dynamics of central management vulnerabilities show that modern cybersecurity is not only a technical exercise: it is an organizational issue. Updating software quickly, maintaining accurate inventories of exposed assets, and coordinating communication between security teams, operations and management are critical tasks to prevent a single failure from leading to a major incident.

If you manage FortiClient EMS, do not expect: check your server version, check the manufacturer's documentation and apply the hotfixes or recommended update. To consult the official notice of the US cybersecurity agency. UU and understand the compliance framework, you can review the CISA note in the previous link. To assess public exposure of EMS instances, the Shadowserver offers a view that, although it does not tell how many are patched, shows the magnitude of the deployment accessible from the Internet. And to look for Fortinet's official releases and notices about this and other vulnerabilities, the company's security ad page is a recommended starting point: Fortinet Product Security Annotations.

In the background, the lesson is clear: when an attack vector affects the management layer, the speed of response and operational hygiene make the difference between a controlled incident and a gap with extensive consequences. CISA's invitation to the private sector to act as urgently as federal agencies is not rhetoric; it is the call to prevent a shadow-exploited vulnerability from becoming a disaster in the eyes of all.