CVE-2026-35616 & CVE-2026-21643 – Fortinet FortiClientEMS: Overview & Takeaways

Fortinet has disclosed two critical vulnerabilities in FortiClient Endpoint Management Server (EMS) that are both under active exploitation in the wild. CVE-2026-35616 is an improper access control flaw (CWE-284) that allows an unauthenticated attacker to bypass API authentication and execute unauthorized code or commands via crafted requests. CVE-2026-21643 is a SQL injection vulnerability (CWE-89) exploitable by remote, unauthenticated attackers via specially crafted HTTP requests. Both vulnerabilities warrant immediate action given confirmed in-the-wild exploitation and the central role FortiClientEMS plays in enterprise endpoint management.  

What do I need to know? 

CVE-2026-35616 — Improper Access Control / API Authentication Bypass 

CVE-2026-21643 — SQL Injection 

What do I need to do? 

We recommend the following steps to identify and remediate these vulnerabilities: 

Review and Audit 

• Identify all instances of FortiClientEMS in your environment and confirm the installed version. 
• CVE-2026-35616: Flag any deployments running versions 7.4.5 or 7.4.6 without the applied hotfix. 
• CVE-2026-21643: Flag any deployments running version 7.4.4, particularly those with multi-tenant mode enabled. Single-site deployments are not affected. 
• Review EMS server logs for anomalous API requests or unexpected command execution activity indicative of exploitation. 
• Fortinet has not published indicators of compromise; detection currently relies on log review and configuration auditing. 

Patch Immediately 

• CVE-2026-35616 — FortiClientEMS 7.4.5: Apply the out-of-band hotfix: FortiClientEMS 7.4.5 Release Notes 
• CVE-2026-35616 — FortiClientEMS 7.4.6: Apply the out-of-band hotfix: FortiClientEMS 7.4.6 Release Notes 
• CVE-2026-35616 — Permanent fix: Included in the upcoming FortiClientEMS 7.4.7 release. 
• CVE-2026-21643: Upgrade from FortiClientEMS 7.4.4 to version 7.4.5 immediately. 

Mitigation (If Patching Is Delayed) 

• Restrict network access to the FortiClientEMS administrative interface to trusted IP ranges only; do not expose it directly to the internet. 
• Implement web application firewall rules to block anomalous HTTP header injection patterns (relevant to CVE-2026-21643). 
• Monitor EMS server processes for unexpected child process spawning (e.g., cmd.exe, powershell.exe) as a potential indicator of CVE-2026-35616 exploitation. 
• Treat any internet-exposed FortiClientEMS instance as potentially compromised pending patch application, given confirmed in-the-wild exploitation of both vulnerabilities. 

NetSPI Product and Services Coverage 

NetSPI’s External Attack Surface Management is issuing a detection for CVE-2026-21643, which will present as: SQL Injection – Fortinet FortiClientCMS (CVE-2026-21643) 

NetSPI’s Penetration Testing Services can also help identify exposure to these vulnerabilities. 

Additional Resources 

• NVD — CVE-2026-35616: https://nvd.nist.gov/vuln/detail/CVE-2026-35616 
• NVD — CVE-2026-21643: https://nvd.nist.gov/vuln/detail/CVE-2026-21643 
• MITRE — CVE-2026-35616: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35616 
• MITRE — CVE-2026-21643: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21643 
• Fortinet Hotfix — FortiClientEMS 7.4.5: Release Notes 
• Fortinet Hotfix — FortiClientEMS 7.4.6: Release Notes