FortiClient EMS Zero-Day CVE-2026-35616: What to Do Now

Published April 6, 2026 · Last updated April 7, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Fortinet’s FortiClient EMS suffered a critical zero-day (CVE-2026-35616, CVSS 9.1) that was actively exploited before patches existed, with over 2,000 instances found exposed online. Days earlier, a supply-chain compromise of the Trivy vulnerability scanner led to a 340 GB data breach at the European Commission affecting 71 entities.

Bottom Line: Organizations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately, audit internet exposure, and investigate for signs of prior compromise given exploitation began at least four days before the patch.

Read Full Analysis ↓

🧭 Decision Radar (Algeria Lens)

Relevance for Algeria
High
▾

Fortinet products are widely deployed across Algerian enterprises, government agencies, and telecom operators. Any organization running FortiClient EMS 7.4.5 or 7.4.6 is directly exposed to unauthenticated remote code execution.

Infrastructure Ready?
Partial
▾

Many Algerian organizations rely on Fortinet but may lack dedicated vulnerability management teams to apply emergency hotfixes within the critical 24-48 hour window. Internet-exposed management interfaces remain a common misconfiguration in environments with limited network segmentation.

Skills Available?
Partial
▾

Algeria has cybersecurity professionals in banking, telecom, and government sectors, but incident response capabilities for zero-day exploitation remain concentrated in a few large organizations. Smaller enterprises and public sector entities may lack skills to investigate post-exploitation indicators.

Action Timeline
Immediate
▾

The vulnerability is being actively exploited in the wild and requires no authentication. Any organization running affected FortiClient EMS versions must patch now and audit for prior compromise.

Key Stakeholders
CISOs, IT security managers, telecom operators, government IT departments

Decision Type
Tactical
▾

This requires immediate patching and exposure auditing rather than long-term strategic planning, followed by a broader review of management infrastructure segmentation practices.

Quick Take: Algerian organizations using Fortinet endpoint management should treat this as a drop-everything priority. Apply the emergency hotfix for FortiClient EMS 7.4.5/7.4.6 immediately, verify no EMS instances are internet-exposed, and use this incident to accelerate segmentation of management infrastructure away from general network access. The broader pattern of security tools becoming primary targets demands a strategic rethink of how defensive tooling is deployed and monitored.

The Vulnerability That Turns Defenders into Targets

On April 4, 2026, Fortinet released an emergency hotfix for CVE-2026-35616, a critical pre-authentication bypass in FortiClient Endpoint Management Server (EMS) that was already being exploited before any patch existed. With a CVSS score of 9.1, the flaw allows unauthenticated attackers to execute arbitrary code on servers that manage endpoint security for entire organizations.

The timing underscores a broader pattern. Just days earlier, CERT-EU disclosed that a supply-chain compromise of Trivy, the widely used open-source vulnerability scanner, had led to a breach at the European Commission affecting 71 entities and 340 GB of stolen data. Together, these incidents crystallize a disturbing reality: the security infrastructure itself has become the primary attack surface.

How CVE-2026-35616 Works

The vulnerability, classified under CWE-284 (Improper Access Control), resides in the API layer of FortiClient EMS. It allows an unauthenticated attacker to bypass API authentication and authorization controls entirely, escalating privileges and executing malicious code via specially crafted HTTP requests.

What makes this particularly dangerous is the attack’s simplicity. No credentials are needed. No user interaction is required. An exposed EMS administrative interface is all an attacker needs for initial access, foothold establishment, and lateral movement across the managed endpoint fleet.

FortiClient EMS versions 7.4.5 and 7.4.6 are affected. Version 7.2.x remains unaffected. Fortinet published advisory FG-IR-26-099 alongside emergency hotfixes, with a permanent fix expected in the upcoming version 7.4.7. The vulnerability was discovered by Simo Kohonen from Defused Cyber and independent researcher Nguyen Duc Anh.

Exploitation Timeline: Attackers Moved First

The chronology reveals how narrow the window was for defenders:

March 31, 2026: Security firm watchTowr recorded the first exploitation attempts against CVE-2026-35616 on its honeypot network, days before any patch was available. Defused Cyber independently observed zero-day exploitation during the same period.
April 4, 2026: Fortinet confirmed active exploitation and released emergency hotfixes for versions 7.4.5 and 7.4.6.
April 5, 2026: The Shadowserver Foundation identified over 2,000 FortiClient EMS instances exposed to the public internet, with the majority located in the United States and Germany.

This was not the first FortiClient EMS crisis in recent weeks. CVE-2026-21643, a critical SQL injection vulnerability (also CVSS 9.1) affecting version 7.4.4, had been under active exploitation since late March 2026. Attackers were smuggling SQL statements through crafted HTTP request headers, achieving code execution against the backing PostgreSQL database on unpatched systems. Back-to-back critical vulnerabilities in the same product line paint a troubling picture of the attack surface that endpoint management systems present.

The Trivy Breach: When Your Scanner Becomes the Weapon

The FortiClient EMS zero-day did not happen in isolation. On April 3, 2026, CERT-EU disclosed that a sophisticated supply-chain attack had compromised Trivy, the widely deployed open-source container vulnerability scanner maintained by Aqua Security.

The threat actor, identified as TeamPCP, exploited a misconfiguration in Trivy’s GitHub Actions CI/CD pipeline to inject malicious code that harvested AWS API keys, SSH secrets, and Kubernetes credentials from environments running the tool. On March 19, an attacker used a stolen AWS secret to access the European Commission’s cloud infrastructure. The Commission’s Cybersecurity Operations Centre detected abnormal API usage, but by then the attackers had already pivoted across multiple AWS accounts.

The breach ultimately affected 71 clients hosted on the Europa web hosting platform, with over 340 GB of data exfiltrated, including personal information such as names, usernames, and email addresses across multiple EU entities. The extortion group ShinyHunters published the stolen dataset on its dark web leak site on March 28.

The TeamPCP campaign did not stop at Trivy. The group subsequently expanded operations to Checkmarx KICS and the npm ecosystem, demonstrating a systematic strategy of targeting security tooling supply chains.

The Pattern: Security Infrastructure as Attack Surface

These incidents, days apart, reflect a structural shift in how sophisticated adversaries approach enterprise networks. Rather than hunting for vulnerabilities in business applications, attackers are increasingly targeting the security and management stack itself.

The logic is ruthless and effective. Endpoint management servers hold credentials and policies for every managed device. Vulnerability scanners have deep access to infrastructure metadata and often run with elevated privileges. Compromise one of these tools, and you potentially compromise the entire security posture of the organization.

CISA recognized this trend explicitly. On March 18, 2026, the agency issued an alert urging organizations to harden endpoint management systems following a cyberattack against Stryker Corporation, a US-based medical technology firm. The Iranian-linked hacktivist group Handala had exploited Stryker’s Microsoft Intune environment, using the platform’s built-in wipe command to destroy endpoint data across the organization.

For CISOs and security architects, the implication is clear: the tools you trust must be treated with the same skepticism as the threats they are meant to stop.

What Organizations Should Do Now

Immediate actions (24-48 hours):

Patch FortiClient EMS to the latest hotfix for versions 7.4.5 or 7.4.6. If patching is not immediately possible, restrict network access to the EMS administrative interface to trusted internal IP ranges only.
Audit internet exposure. Use asset discovery tools to confirm no EMS instances are directly reachable from the public internet. The 2,000+ exposed instances identified by Shadowserver suggest many organizations are unaware their EMS is publicly accessible.
Review Trivy deployments. Verify you are running a clean, verified version of Trivy. Audit CI/CD pipeline integrity and check for unauthorized changes to scanning tool configurations or outputs.

Strategic actions (30-90 days):

Segment management infrastructure. Endpoint management servers, vulnerability scanners, SIEM collectors, and other security tools should reside on isolated management VLANs with strict access controls, not alongside general server workloads.
Implement zero-trust for security tools. Apply the same authentication, authorization, and monitoring rigor to your security stack as you do to production systems. Pre-authentication bypasses like CVE-2026-35616 succeed precisely because many organizations assume their security tools are inherently trusted.
Verify software supply chains. For open-source security tools, implement signature verification, reproducible builds, and SBOM tracking. The Trivy compromise succeeded because organizations implicitly trusted the tool’s update pipeline.
Monitor for post-exploitation indicators. If FortiClient EMS was exposed before patching, assume compromise and investigate. Look for unusual API calls, new administrative accounts, or unexpected policy changes in your endpoint fleet.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

What is CVE-2026-35616 and why is it critical?

CVE-2026-35616 is a pre-authentication access control bypass in Fortinet’s FortiClient Endpoint Management Server with a CVSS score of 9.1. It allows unauthenticated attackers to execute arbitrary code on the server without any credentials or user interaction. Because FortiClient EMS manages security policies and configurations for all endpoints in an organization, a single compromised server can give attackers control over the entire managed device fleet.

How are the FortiClient EMS zero-day and the Trivy breach connected?

While the two incidents involve different vendors and different attack vectors, they represent the same strategic pattern: adversaries targeting security and management infrastructure rather than business applications. The FortiClient EMS zero-day exploits a flaw in an endpoint management server, while the Trivy breach weaponized a vulnerability scanner’s CI/CD pipeline. Both demonstrate that security tools themselves have become high-value targets because they hold privileged access to the environments they protect.

What should organizations do if their FortiClient EMS was internet-exposed before the patch?

If your FortiClient EMS was publicly accessible before the April 4 hotfix, assume compromise and launch an investigation. Check for unusual API calls, newly created administrative accounts, unexpected policy changes across managed endpoints, and any lateral movement indicators. Fortinet and security researchers recommend treating any pre-patch exposure as a potential breach, given that exploitation was recorded as early as March 31 by watchTowr’s honeypot network.