What Happened
Fortinet released an out-of-band emergency hotfix on April 5, 2026, for CVE-2026-35616, a critical improper access control vulnerability in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw carries a CVSS score of 9.1 and allows unauthenticated remote attackers to execute arbitrary code or commands by sending specially crafted API requests to the EMS server.
FortiClient EMS is the central management platform for Fortinet endpoint security deployments, responsible for pushing security policies, managing endpoint agents, and enforcing compliance across corporate devices. Administrative access to the EMS server translates directly to control over all enrolled endpoints.
Exploitation in the wild was first recorded against security researcher honeypots on March 31, 2026, by Defused Cyber, the Finnish security firm whose researchers Simo Kohonen and Nguyen Duc Anh are credited with discovering and responsibly disclosing the vulnerability to Fortinet. Internet scanning by the Shadowserver Foundation identified over 2,000 publicly accessible FortiClient EMS instances globally as of the weekend, with significant concentrations in the United States and Germany. Organizations running vulnerable versions should assume their instances have been targeted.
Fortinet has made a hotfix available for versions 7.4.5 and 7.4.6 and will release FortiClient EMS 7.4.7 with the full fix incorporated. BleepingComputer | The Hacker News
Why This Matters for Canadian Organizations
Fortinet is one of the most widely deployed security vendors across Canadian enterprises, federal and provincial government departments, healthcare networks, financial institutions, and managed service providers. FortiClient EMS is the management backbone for endpoint security in organizations running the Fortinet Security Fabric architecture. Compromise of an EMS server gives an attacker administrative control over all enrolled FortiClient agents — including the ability to push malicious configurations, disable endpoint protections, and establish persistence across the entire managed device fleet.
Canadian managed service providers (MSPs) that operate FortiClient EMS on behalf of multiple clients face the highest exposure: a single compromised EMS instance in an MSP environment provides attackers lateral access across all downstream client environments. This makes CVE-2026-35616 a significant supply chain risk for the Canadian MSP community, which serves a large share of small and medium-sized businesses and municipal governments.
The Canadian Centre for Cyber Security (CCCS) has consistently highlighted Fortinet vulnerabilities in its advisories given the prevalence of Fortinet infrastructure in Canadian government and critical infrastructure networks. Security teams should treat this vulnerability at the same urgency level as previous Fortinet critical flaws that attracted CCCS advisories, such as CVE-2026-21643 in FortiClient EMS, which was covered in this publication on March 31, 2026.
What to Do
Apply the Fortinet emergency hotfix to FortiClient EMS 7.4.5 and 7.4.6 immediately. If upgrading to 7.4.7 is available in your update channel, proceed directly to the full release. Do not leave internet-accessible EMS instances unpatched overnight.
Review FortiClient EMS access logs for unexpected API calls, especially from external IP addresses or unfamiliar geographic regions, covering the period from March 31, 2026, to the date of your patch application. Look for API requests to administrative endpoints from sources outside your expected management network ranges.
If your EMS instance is internet-accessible, restrict management interface access to known IP ranges using network-level access controls while the patch is applied. Audit all enrolled endpoint configurations for unexpected policy changes or agent modifications made after March 31.
MSPs managing FortiClient EMS on behalf of clients should notify clients and assess each environment individually. Report confirmed exploitation indicators to the Canadian Centre for Cyber Security at contact@cyber.gc.ca.
