
In April 2026, active exploitation of a newly disclosed vulnerability in Fortinet FortiClient EMS, tracked asย CVE-2026-35616, was observed in the wild. This vulnerability originates from flaws in the request handling logic of the EMS server and may lead to remote code execution (RCE) or full system compromise if exploited without authentication.
This issue goes beyond a typical vulnerability disclosure. With confirmed attack attempts and a significant number of externally exposed assets, it highlights a critical risk from an attack surface perspective.
This article outlines the technical characteristics of CVE-2026-35616, analyzes the expected attack flow, and examines how externally exposed FortiClient EMS assets identified through Criminal IP can become directly exploitable in real-world scenarios.
Overview of the FortiClient EMS Vulnerability
| Vulnerability ID | CVE-2026-35616 |
| Affected Product | FortiClient EMS |
| Vulnerability Type | Authentication bypass / Remote Code Execution |
| CVSS Score | Critical (active exploitation observed) |
| Attack Condition | No authentication required (pre-auth) |
| Affected Scope | Internet-exposed EMS servers |
FortiClient EMS is a centralized management server responsible for endpoint security policy enforcement, client deployment, updates, and access control. Due to its role, compromise of an EMS server can impact not just a single system but the entire endpoint environment of an organization.
Attack Flow Analysis

The attack begins with identifying FortiClient EMS servers exposed to the internet. Since EMS provides a web-based management interface, its presence can be detected relatively easily through service identification or port scanning.
Once a vulnerable endpoint is identified, attackers can send a crafted request that is processed as legitimate by the server, bypassing authentication and enabling code execution. This process requires no user interaction and can establish initial access with a single request.
After initial compromise, attackers may deploy web shells, access internal networks, escalate privileges, and expand their foothold. Given the centralized role of EMS, such compromise can propagate across the organizationโs internal environment.
Internet-Exposed FortiClient EMS Assets Observed via Criminal IP
In this analysis, favicon-based detection was used to identify FortiClient EMS web interfaces.
Criminal IP Search Query:ย favicon: -2fb77099

This favicon value was derived from the web icon used by FortiClient EMS and allows identification of assets using the same management interface.
As of April 17, 2026, more than 500 FortiClient EMS-related assets were identified as exposed to the internet. Some of these were directly accessible via HTTPS.
Despite having login pages, these systems remain vulnerable due to the pre-authentication nature of the vulnerability. This represents not just service exposure, but fully accessible management systems that attackers can exploit immediately.

Analysis of specific assets reveals environments where multiple services and web interfaces are exposed simultaneously, rather than a single service endpoint. These systems are accessible via HTTPS, and response data suggests the presence of administrative functionality.
Additionally, the presence of rich metadata indicates that these are likely production systems rather than test environments. In such cases, attackers can identify services, infer versions, and expand attack paths incrementally.
When management systems like FortiClient EMS are exposed externally, combining this exposure with a pre-auth vulnerability significantly lowers the barrier for initial compromise, potentially impacting the entire security environment.
Mitigation and Recommendations
The highest priority is to apply the latest security patches provided by Fortinet. Unpatched systems exposed to the internet are highly likely to become targets. Organizations should also verify whether EMS servers are externally accessible. If not required, access should be restricted or limited to internal networks or VPN connections. Continuous monitoring of server logs is also critical to detect abnormal requests or suspicious activity.
Vulnerability response should not be limited to patching alone. It must include validation of whether the asset is exposed as part of the attack surface.
FAQ
Q1. Is it safe if a login page is present?
No. Since this vulnerability can be exploited before authentication, the presence of a login interface does not provide effective protection. External exposure itself is the primary risk factor.
Q2. Why are EMS servers exposed externally if they are internal systems?
Exposure often occurs due to operational convenience, remote management requirements, or misconfigurations. These factors can unintentionally expand the attack surface.
Conclusion
CVE-2026-35616 is a vulnerability in FortiClient EMS, but more importantly, it demonstrates how externally exposed management systems can become direct attack paths. With over 500 EMS assets exposed to the internet, exploitation is not merely theoretical but represents a realistic and immediate threat. The ability to execute attacks before authentication further increases the severity by bypassing traditional defense mechanisms.
The key takeaway from this issue is that security cannot rely solely on patching. Identifying exposed assets and prioritizing response based on real-world exploitability is essential. Criminal IP enables this process by providing visibility into externally exposed assets, supporting more effective and practical security operations.
In relation to thi,s you can refer toย CVE-2026-34197: Apache ActiveMQ RCE Vulnerability Analysis.
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IPโs threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up forย a free Criminal IP accountย today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source:ย Criminal IP(https://www.search.criminalip.io/), The Hacker News(https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html), Bleeping Computer(https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/)
Related Article:ย https://www.criminalip.io/knowledge-hub/blog/33906
