Critical Improper Access Control in Fortinet FortiClient EMS (CVE‑2026‑35616) Exploited in the Wild
What It Is – Fortinet FortiClient Endpoint Management Server (EMS) contains an improper access‑control flaw (CWE‑284) that lets an unauthenticated attacker bypass authentication via a crafted API request and gain elevated privileges.
Exploitability – The vulnerability (CVSS 9.1) is confirmed to be exploited in the wild; active zero‑day attacks have been observed. No public PoC is released, but threat‑intel feeds report traffic with the header X‑SSL‑CLIENT‑VERIFY: SUCCESS.
Affected Products – FortiClient EMS 7.4.5 and 7.4.6 (out‑of‑band hotfix available). A permanent fix ships in 7.4.7.
TPRM Impact –
- Endpoint‑management agents are often deployed across multiple third‑party sites; a breach can cascade to partner networks.
- Privilege escalation on managed endpoints can expose corporate data, credentials, and internal tooling, raising supply‑chain risk.
Recommended Actions –
- Deploy the out‑of‑band hotfix for FortiClient EMS 7.4.5/7.4.6 immediately; schedule upgrade to 7.4.7.
- Verify that API endpoints are not reachable from untrusted networks; enforce network segmentation.
- Monitor logs for
X‑SSL‑CLIENT‑VERIFY: SUCCESSor anomalous API calls. - Update your vulnerability management program to flag CVE‑2026‑35616 as a critical priority.
- Communicate the remediation deadline (April 9 2026) to all affected business units and third‑party service providers.
Source: Security Affairs