Inside the FortiClient EMS Zero-Day: How CVE-2026-35616 Became One of 2026's Most Dangerous Enterprise Exploits

In late March 2026, threat actors silently slipped into enterprise networks around the world through a flaw that Fortinet had not yet publicly acknowledged. By the time the security vendor published its emergency advisory on April 4, attackers had already been active inside affected environments for days. The vulnerability, tracked as CVE-2026-35616, quickly became one of the most critical and actively exploited security flaws of the year, exposing a fundamental weakness at the very heart of enterprise endpoint management infrastructure.

What Is FortiClient EMS and Why It Matters

FortiClient Endpoint Management Server, commonly known as FortiClient EMS, is a centralized security management solution developed by Fortinet that enables organizations to deploy, configure, and monitor FortiClient software across all managed endpoints in their environment. It acts as the nerve center of an enterprise's endpoint security posture, enforcing device compliance policies, managing VPN configurations, applying application firewall rules, and maintaining real-time visibility across every connected device on the corporate network.

For large organizations with thousands of managed endpoints spread across multiple offices, cloud environments, and remote locations, FortiClient EMS is not a peripheral tool. It is a core piece of infrastructure. Whoever controls the EMS server, in effect, controls the security configuration of every endpoint beneath it. That is precisely what made CVE-2026-35616 so alarming the moment its true nature was understood.

The Vulnerability: A Critical Flaw in API Access Control

CVE-2026-35616 is classified as an improper access control vulnerability residing within the FortiClient EMS API layer. The API is responsible for managing all communication between the central EMS server and the distributed endpoints it governs. The flaw allows an unauthenticated attacker to bypass the API's authentication mechanisms entirely and send privileged requests to affected deployments as if they were a trusted administrator.

In practical terms, when specially crafted HTTP requests are sent to specific FortiClient EMS endpoints without valid credentials, the server processes those requests as legitimate administrative actions. No username. No password. No certificate. The authentication gate simply does not apply. From that entry point, a threat actor gains the ability to interact with EMS administrative functionality, manipulate endpoint configurations, push malicious policies to managed devices, and establish a foothold deep inside the enterprise environment. The vulnerability was assigned a CVSS score of 9.1, reflecting its critical severity, and its exploitation requires no prior access or privileges whatsoever.

Researchers from Arctic Wolf who analyzed active exploitation attempts observed a consistent indicator in FortiClient EMS logs when attacks were underway: the log line "Certificate not found in request header" appearing repeatedly, serving as a forensic fingerprint that security teams can use to identify whether their environments have been targeted.

Zero-Day Exploitation Before the Advisory Even Existed

What makes CVE-2026-35616 particularly significant is the timeline of its discovery and disclosure. On March 31, 2026, cybersecurity firm watchTowr detected active exploitation of this vulnerability through its Attacker Eye sensor network, identifying real-world attacks against FortiClient EMS deployments before Fortinet had published any advisory or even confirmed the issue publicly. Fortinet's own security advisory did not appear until April 4, 2026, meaning attackers had a window of at least four days during which the vulnerability was being weaponized in the wild with no patch, no hotfix, and no public warning available to defenders.

The timing of the earliest known exploitation, Easter weekend 2026, was not coincidental. Security researchers noted that the attacks began during a period when enterprise security teams are typically operating with reduced staffing levels, incident response capacity is lower, and alerts are more likely to go unnoticed. The strategic selection of a holiday weekend to initiate exploitation reflects a level of operational planning that points to organized and experienced threat actors rather than opportunistic attackers.

By the time Fortinet confirmed the active exploitation and issued its emergency advisory, the vulnerability had already been added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, formally acknowledging it as a real and immediate threat to federal agencies and critical infrastructure operators.

The EKZ Infostealer Campaign: Weaponizing Trust

While the initial wave of exploitation was damaging in its own right, the attack evolved into something more insidious in the weeks that followed. Security researchers at Arctic Wolf documented a sophisticated follow-on campaign in which threat actors leveraged their access to compromised FortiClient EMS servers to push a credential-stealing malware payload directly to all managed endpoints under the server's control.

The malware, identified as the EKZ Infostealer, was disguised as a legitimate Fortinet endpoint software update. Managed endpoints received what appeared to be a routine patch delivery from their own trusted management infrastructure, triggering silent execution of the malicious executable through PowerShell. Because the payload arrived through the same channel that organizations rely on for legitimate security updates, many endpoint protection solutions initially failed to flag it as suspicious. The attack abused the inherent trust relationship between the EMS server and its managed clients, turning an organization's own security tooling against itself.

The EKZ Infostealer is designed to harvest credentials stored in browsers, applications, and system memory, along with session tokens, saved passwords, and cryptographic material. Once exfiltrated, this data can be used to facilitate further compromise, enable account takeover attacks, or be sold to other threat actors on dark web marketplaces. The campaign demonstrated that exploitation of CVE-2026-35616 was not merely about achieving initial access. Attackers had a complete post-compromise playbook ready to deploy the moment they gained control of an EMS server.

A Pattern of Critical Vulnerabilities in the Same Product

The emergence of CVE-2026-35616 was not an isolated event. It arrived just weeks after the public disclosure of CVE-2026-21643, a separate critical vulnerability in FortiClient EMS involving SQL injection through the Site HTTP header, which had also been actively exploited as a zero-day before a fix was available. The rapid succession of two unauthenticated critical flaws in the same product within such a short timeframe drew sharp scrutiny from the security research community.

The pattern raises serious questions about the security architecture underlying FortiClient EMS. Whether the back-to-back disclosures reflect a systemic weakness in how the product was originally designed and how its API layer was secured, or whether they represent an increased and deliberate focus by sophisticated threat actors on a high-value target that provides centralized control over enterprise endpoint security, the outcome for organizations running affected versions has been the same: a product they depend on to protect their environment became a primary vector for compromise.

Fortinet has a documented history of being targeted by state-sponsored and financially motivated threat actors. Its products occupy a privileged position in enterprise security architectures, making them attractive targets for adversaries who understand that compromising a security vendor's tooling can provide access to thousands of downstream customers simultaneously. Public exploit code for CVE-2026-35616 was identified and made available shortly after disclosure, significantly lowering the technical barrier required for less sophisticated actors to weaponize the flaw.

Affected Versions and Remediation

CVE-2026-35616 affects FortiClient EMS versions 7.4.5 and 7.4.6. Organizations running FortiClient EMS on the 7.2 branch are not affected by this specific vulnerability. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April 2026, with the company stating that the provided hotfixes are sufficient to prevent exploitation entirely when applied. A full software patch was incorporated into FortiClient EMS 7.4.7, released subsequently.

Security teams that have not yet applied the hotfix or upgraded to 7.4.7 should treat their FortiClient EMS deployments as potentially compromised rather than merely vulnerable. Given the confirmed exploitation window beginning on March 31 and the subsequent credential-harvesting campaign, organizations should immediately audit FortiClient EMS server logs for the "Certificate not found in request header" indicator, review network traffic records for anomalous API requests, inspect managed endpoint systems for signs of unauthorized software execution, and rotate all credentials that may have been accessible from affected endpoints.

The Broader Implications for Enterprise Security

The FortiClient EMS zero-day campaign illustrates a threat model that security architects increasingly need to account for: the weaponization of trusted management infrastructure. When an attacker gains control of the system that is responsible for enforcing security policy across an entire endpoint fleet, the attack surface is not just one server. It is every device that server manages. The compromise multiplies across the organization in a single operation.

This dynamic is not unique to Fortinet. Any centralized management platform, whether it governs endpoints, cloud workloads, network devices, or identity systems, represents a high-value target whose compromise can cascade through an entire environment. The security of these management planes deserves the same level of scrutiny and hardening applied to the assets they oversee.

The CVE-2026-35616 campaign is a reminder that enterprise security tools are themselves part of the attack surface. Organizations must apply patches to their security products with the same urgency they apply to operating systems and business applications, monitor their management infrastructure for signs of abuse, and architect their environments so that a single compromised management server cannot silently reach every endpoint in the organization without additional verification barriers in the path.

Fortinet has urged all customers running affected versions to apply available hotfixes immediately and review their environments for indicators of compromise. The window for a clean and unimpacted response to this vulnerability closed weeks ago for organizations that delayed. For those still running unpatched deployments, that window is effectively closed now.