The week started with a quiet advisory and got loud fast. Fortinet released an emergency out-of-band hotfix for CVE-2026-35616 in FortiClient EMS, a CVSS 9.1 pre-authentication API access bypass that lets attackers skip authorization entirely and escalate to admin-level code execution. By the time the hotfix was out, exploitation had already been running for days.
Defused Cyber's honeypots logged the first attempts on March 31. Shadowserver found over 2,000 FortiClient EMS instances exposed to the internet. Most of them are still running vulnerable versions.
That alone would be a bad week. Then came the companion flaw.
The Actual Vulnerability Pair
CVE-2026-35616 is the headliner: an improper access control flaw in the FortiClient EMS API. Unauthenticated attackers send crafted requests that bypass the API's authentication and authorization checks, then land with enough privilege to execute code or commands on the underlying system. Affects versions 7.4.5 and 7.4.6. A full fix arrives in 7.4.7, which isn't out yet. The hotfix patches the immediate exposure without the version bump.
CVE-2026-21643 is the one that got less attention, which is a mistake. It's a SQL injection flaw in multi-tenant FortiClient EMS 7.4.4 deployments, exploitable remotely without authentication via the /api/v1/init_consts endpoint. Attackers smuggle SQL statements through the Site header in HTTP requests. Because the endpoint returns database error messages and has no lockout protections, you can rapidly extract sensitive data through blind and error-based enumeration. Shodan was showing close to 1,000 exposed instances of the affected version when researchers first looked.
Two different vulnerability classes, same product, same authentication-free attack surface. Both have confirmed exploitation in the wild.
Why FortiClient EMS Keeps Showing Up in This List
FortiClient EMS is enterprise endpoint management software. It manages agent deployments, enforces compliance posture, and connects endpoints back to FortiGate firewalls. When it's internet-exposed, which it often is in distributed organizations and MSSP environments, it becomes a high-value target that sits at the intersection of identity, endpoint, and network.
Fortinet has had a rough run of unauthenticated pre-patch exploitation across their product line. FortiOS SSLVPN, FortiManager, FortiAnalyzer. The pattern is consistent: critical advisory, exploitation already active, emergency hotfix, organizations scramble. Ransomware groups and nation-state actors have both learned to watch Fortinet's security advisories the same way researchers do, because the gap between disclosure and patch is predictable and the gap between patch and deployment is even more predictable.
The 2,000+ exposed instances is not a surprise. It's a baseline reality for internet-exposed management software in large organizations, where change management, maintenance windows, and "we'll patch it next cycle" thinking create exactly the exposure window attackers need.
What You Should Do Right Now
Apply the hotfix for CVE-2026-35616 immediately. Fortinet has released it for the affected 7.4.x versions. 7.4.7 with the full patch is coming, but waiting for it is not the right call.
For CVE-2026-21643, patch to the fixed version for your 7.4.4 multi-tenant deployments. If you can't patch immediately, restrict access to the /api/v1/init_consts endpoint at the network layer and review your WAF rules.
More broadly: FortiClient EMS should not be directly internet-exposed unless there is a specific architectural requirement. Put it behind a VPN or zero-trust access gateway. Segment it from your broader production environment. If you're an MSSP managing FortiClient EMS for clients, assume some of those deployments are already compromised and start threat hunting rather than waiting for EDR alerts.
Check Shadowserver's data for your IP ranges. If you show up, you should assume adversarial reconnaissance has already occurred.
The Pattern Is Predictable and That's the Problem
The uncomfortable truth about critical vulnerabilities in network and endpoint management tools is that the discovery-to-exploitation timeline keeps compressing. Researchers find the flaw, post a detailed advisory, and attackers run with the technical details within hours. Fortinet has been here before. So have Ivanti, Palo Alto, and Cisco. The common thread is internet-exposed management software with insufficient authentication controls.
You can argue about vendor responsibility, and you'd be right. But the operational reality is that the time between "Fortinet releases advisory" and "your FortiClient EMS gets owned" is measured in days, not weeks. If your patching process can't move faster than that, the vulnerability isn't really your biggest problem.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want the uncomfortable conversation before the incident report.