FortiClient EMS Zero-Day CVE-2026-35616: What Texas Businesses Need to Know

A critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server is being actively exploited in the wild. CVE-2026-35616 is an unauthenticated remote code execution flaw affecting FortiClient EMS versions 7.4.5 and 7.4.6, and it carries a CVSS score of 9.8. If your organization uses FortiClient EMS to manage endpoint security across your network, we recommend making this a top priority for your IT team.

What Is CVE-2026-35616 and Why Is It So Dangerous?

FortiClient EMS is the centralized management platform that pushes security policies, software updates, and configurations to every FortiClient endpoint agent in your environment. It is, by design, a high-privilege system with deep access to every managed device on your network.

CVE-2026-35616 allows an unauthenticated attacker to execute arbitrary code on the EMS server remotely. No credentials required. No user interaction needed. An attacker who can reach your EMS server over the network can take full control of it — and from there, pivot to every endpoint it manages.

This is not a theoretical risk. Fortinet confirmed active exploitation in their emergency advisory, and the Shadowserver Foundation has identified over 2,000 FortiClient EMS instances exposed directly to the internet globally. Many of those are small and mid-sized businesses that lack dedicated security operations teams to catch exploitation in progress.

The affected versions are FortiClient EMS 7.4.5 and 7.4.6 only. Earlier versions (7.4.4 and below) and the patched release (7.4.7) are not affected.

Active Exploitation: What We Know So Far

The timeline on this vulnerability has moved fast:

• Late March 2026: Fortinet’s Product Security Incident Response Team (PSIRT) was notified of exploitation activity targeting FortiClient EMS installations.
• April 2, 2026: Fortinet released an emergency hotfix and published advisory FG-IR-2026-0087, confirming active exploitation in the wild.
• April 4, 2026: Shadowserver scans revealed over 2,000 FortiClient EMS instances exposed to the public internet, with the highest concentrations in North America and Europe.
• April 6, 2026: Security researchers published initial analysis confirming the vulnerability is trivially exploitable with no authentication, and proof-of-concept activity is accelerating.

The pattern here mirrors what we saw with previous Fortinet vulnerabilities like CVE-2023-48788 (FortiClient EMS SQL injection) and CVE-2024-47575 (FortiManager “FortiJump”). Threat actors move within days of disclosure, and organizations that wait even a week to patch find themselves compromised.

For Texas businesses running Fortinet infrastructure — and there are many, since FortiGate and FortiClient are popular choices for SMBs in the Dallas-Fort Worth, Houston, and San Antonio markets — this is a serious threat that should be addressed promptly.

Recommended Steps: What to Prioritize

If you run FortiClient EMS 7.4.5 or 7.4.6, we recommend prioritizing the following steps.

1. Apply the Emergency Hotfix

Fortinet has released an emergency hotfix for both affected versions. Download it from the Fortinet Support Portal and apply it during your next available maintenance window — or create an emergency window if you don’t have one scheduled soon. The hotfix addresses the specific vulnerability without requiring a full version upgrade.

2. Check for Signs of Compromise

Before and after patching, review your EMS server for indicators of compromise:

• Unexpected processes running on the EMS server, particularly anything spawned by the EMS service account
• New or modified scheduled tasks that you didn’t create
• Outbound network connections to unfamiliar IP addresses, especially on non-standard ports
• Anomalous log entries in both the EMS application logs and Windows Event Logs
• New local accounts or changes to existing account privileges

If you find evidence of compromise, isolate the server immediately and engage your incident response team. Do not simply patch and move on — a compromised EMS server means every managed endpoint should be considered potentially affected.

3. Restrict EMS Network Access

Your FortiClient EMS server should never be directly exposed to the internet. If it currently is, restrict access immediately:

• Move EMS to a dedicated management VLAN that is only accessible from your internal network or through a VPN
• Implement firewall rules that limit inbound connections to EMS to only the specific subnets and ports required for endpoint communication
• Block all direct internet access to the EMS management interface

This step alone would have prevented exploitation for most of the 2,000+ exposed instances Shadowserver identified.

Longer-Term Actions: Hardening Your Fortinet Environment

Once the immediate crisis is addressed, use this as a catalyst to strengthen your overall security posture.

Upgrade to FortiClient EMS 7.4.7

The emergency hotfix is a stopgap. FortiClient EMS 7.4.7 includes the permanent fix along with additional security improvements. Plan your upgrade within the next 30 days. Test it in a staging environment if you have one, but don’t let testing become an excuse to delay indefinitely.

Review Your Network Segmentation

This vulnerability highlights a broader architectural question: how much of your management infrastructure is properly segmented? Review the network placement of all management consoles — not just EMS, but your FortiGate management interfaces, Active Directory domain controllers, backup servers, and any other high-value targets. Every management plane should sit on a restricted VLAN with explicit access controls.

Establish a Vulnerability Response Process

If this advisory caught you off guard, that’s a sign your organization needs a more structured approach to vulnerability management. At minimum, you should have:

• A monitoring process for vendor security advisories (Fortinet PSIRT, CISA KEV catalog, vendor mailing lists)
• A defined SLA for patching critical vulnerabilities (aim for 48 hours or less for CVSS 9.0+)
• A pre-approved emergency change process so critical patches aren’t held up by change advisory board schedules
• Regular vulnerability scanning to identify exposed services and missing patches before attackers do

Why This Keeps Happening — and How to Break the Cycle

Fortinet products are excellent security tools, but they are also high-value targets precisely because they sit at critical points in your network. FortiGate firewalls, FortiClient EMS, and FortiManager have all had critical vulnerabilities exploited in the wild over the past three years. This is not unique to Fortinet — Palo Alto, Cisco, and Ivanti have all faced similar issues.

The pattern is consistent: a critical vulnerability is disclosed, a patch is released, and organizations that lack automated patch management and proactive monitoring get compromised in the gap between disclosure and remediation.

Breaking this cycle requires treating patch management and security monitoring as continuous operational functions, not periodic projects. For many Texas SMBs, that means partnering with a managed security provider that monitors vulnerability feeds around the clock, maintains the expertise to assess and prioritize threats, and has the access and tooling to deploy patches rapidly across your environment.

Next Steps

1. Confirm your FortiClient EMS version — if you’re running 7.4.5 or 7.4.6, you are affected
2. Prioritize applying the hotfix and check for compromise indicators
3. Restrict network access to your EMS server if it’s internet-facing
4. Plan your upgrade to 7.4.7 within 30 days
5. Review your vulnerability management process and close the gaps this incident exposed

If you need help assessing your exposure, applying the hotfix, or investigating potential compromise, contact our team at 800-985-1365. We manage Fortinet firewall and endpoint deployments across Texas and can help you respond quickly.