Critical FortiClient EMS Zero-Day Exposes UK Enterprise Networks Through Authentication Bypass

A critical zero-day vulnerability in Fortinet's FortiClient EMS is under active exploitation, allowing attackers to bypass authentication and execute arbitrary code on endpoint management systems widely deployed across UK mid-market organisations. CVE-2026-35616 represents an immediate threat to enterprise network security, with attackers requiring no prior credentials to compromise affected systems.

Fortinet confirmed the flaw carries a CVSS score of 9.1 and affects FortiClient EMS versions 7.4.5 and 7.4.6. FortiClient EMS is an endpoint management system that centralises security policy deployment, monitoring, and control across enterprise devices - making it a high-value target for attackers seeking lateral movement capabilities.

Key Facts:
- CVE-2026-35616 enables unauthenticated remote code execution via crafted API requests
- Active exploitation confirmed by Fortinet with emergency hotfixes now available
- Vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6 with CVSS score of 9.1
- Endpoint management systems provide privileged access to enterprise device fleets

What Makes This Vulnerability So Dangerous?

According to reporting from Help Net Security, the authentication bypass allows attackers to send specially crafted API requests to FortiClient EMS servers, gaining unauthorised access without valid credentials. This creates a direct pathway into enterprise networks through systems specifically designed to manage endpoint security policies. The vulnerability's severity stems from FortiClient EMS's privileged position within network infrastructure - compromise of these systems can facilitate mass deployment of malware across managed endpoints or extraction of sensitive configuration data.

The active exploitation timeline suggests organised threat actors have developed working exploits, potentially targeting the substantial installed base of Fortinet products across UK organisations. Similar supply chain-style attacks have demonstrated how attackers leverage trusted infrastructure components to achieve broad network compromise.

Emergency Response Requirements

Fortinet has released emergency hotfixes for affected versions, but the narrow update window creates implementation challenges for UK organisations managing distributed endpoint fleets. The NCSC's guidance on critical vulnerability management emphasises immediate patching for actively exploited flaws, particularly those affecting network infrastructure components. Organisations must balance rapid deployment against potential service disruption during emergency maintenance windows.

Temporary mitigation involves restricting API access through network segmentation and implementing additional authentication layers where possible. However, these measures provide limited protection against an authentication bypass vulnerability, making urgent patching the primary defence strategy.

Boardroom Questions

• Do we have visibility into which versions of FortiClient EMS are deployed across our network infrastructure?
• What is our maximum acceptable timeframe for deploying emergency security patches to critical network management systems?
• How would compromise of our endpoint management platform affect our ability to respond to a broader security incident?

Quick Diagnostic

• Can you identify all FortiClient EMS deployments in your network within 24 hours?
• Do you have established emergency patching procedures that bypass standard change control for actively exploited vulnerabilities?
• Are your endpoint management systems segmented from general network traffic and subject to additional access controls?