⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Threat Intel 7 April 2026 8 min read

Fortinet FortiClient EMS Under Active Attack: Two Zero-Days, One Patch Window, and What Swiss Enterprises Must Do Now

CVE-2026-35616 and CVE-2026-21643 — both CVSS 9.1, both actively exploited — give unauthenticated attackers remote code execution on the endpoint management server at the centre of your network. Fortinet issued an emergency hotfix. The CISA deadline for US federal agencies has already passed. Swiss enterprises are not bound by that deadline, but the threat is identical.

MS

Marco Scarito

7 April 2026

8 min read

On 5 April 2026, Fortinet released an out-of-band emergency patch for CVE-2026-35616, a critical improper access control vulnerability in FortiClient Enterprise Management Server (EMS) affecting versions 7.4.5 and 7.4.6. The vulnerability carries a CVSS score of 9.1. One day later, CISA added it to the Known Exploited Vulnerabilities catalogue with a patch deadline of 9 April for US federal agencies. The deadline has passed for American government systems. For Swiss enterprise networks, no equivalent mandatory timeline exists — but the threat does not wait for regulatory calendars.

The same week, researchers confirmed that a second vulnerability in the same product — CVE-2026-21643, also CVSS 9.1 — had been under active exploitation since at least 28 March, before any patch was available. The two flaws affect the same platform, were exploited within days of each other, and together represent the highest-urgency patching situation in the Swiss enterprise context since the Cisco FMC zero-day documented on this site in March. If you run FortiClient EMS in your environment and have not applied the emergency hotfix, this is the article you need to read today.

What FortiClient EMS Is and Why It Matters

FortiClient Enterprise Management Server is the central management platform for Fortinet's endpoint security suite. It handles policy deployment, endpoint configuration, compliance enforcement, telemetry collection, and remote management for FortiClient-protected workstations and servers across an organisation. In a typical Swiss enterprise deployment, FortiClient EMS has visibility into and management authority over every endpoint in the network.

This is precisely why the two vulnerabilities are so dangerous. An attacker who compromises FortiClient EMS does not simply gain access to one system — they gain administrative authority over the endpoint management infrastructure. From that position, they can push malicious configurations to managed endpoints, disable security controls, harvest credentials from stored policies, or use the management plane as a pivot point for lateral movement across the entire estate. The parallel with the Cisco Firewall Management Center zero-day from March — where Interlock ransomware used the management plane as a post-exploitation base for 36 days — is direct and instructive.

CVE-2026-35616: The Technical Picture

CVE-2026-35616 is classified as an improper access control vulnerability (CWE-284) in FortiClient EMS. The flaw allows an unauthenticated remote attacker to bypass authentication mechanisms and gain privileged access to the EMS management interface via crafted HTTP requests. Fortinet's advisory describes the impact as the ability to execute unauthorised code or commands. The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6 specifically. Version 7.4.4 and below are not affected by this particular CVE.

Exploitation of CVE-2026-35616 was confirmed as a zero-day — meaning active attacks were observed before the patch was released. Defused Cyber, the Finnish security firm credited with responsible disclosure, reported detecting in-the-wild exploitation beginning on 31 March 2026, five days before the hotfix was published. Watchtowr Labs independently corroborated exploitation activity beginning on the same date. No public proof-of-concept code is available, but the existence of functional exploit code in attacker toolkits can be assumed given the confirmed exploitation.

◆ Key Takeaway

CVE-2026-35616 was exploited as a zero-day starting 31 March 2026. Fortinet released the emergency hotfix on 5 April — a five-day window during which any internet-exposed FortiClient EMS on versions 7.4.5 or 7.4.6 was a viable target with no defence except isolation. If your EMS was exposed during that window without the hotfix, assume compromise and investigate.

CVE-2026-21643: The Companion Vulnerability

CVE-2026-21643 is a separate vulnerability in FortiClient EMS affecting version 7.4.4, also rated CVSS 9.1. Defused Cyber detected active exploitation of this flaw beginning around 24 March 2026 — before it appeared on CISA's KEV catalogue and before most organisations had assessed their exposure. The attack vector for CVE-2026-21643 involves SQL injection through a crafted HTTP header value, specifically the "Site" header, enabling attackers to smuggle malicious SQL statements into the application layer.

The co-occurrence of two critical actively-exploited vulnerabilities in the same product within days of each other raises an important operational question: are these being chained? Fortinet and external researchers have not yet confirmed a documented attack chain, but the tactical logic is straightforward — an attacker who initially accessed an EMS running 7.4.4 via CVE-2026-21643 and subsequently upgraded it would find themselves on a system now vulnerable to CVE-2026-35616. Security teams should treat both vulnerabilities as part of a single incident response priority, not as separate issues with independent timelines.

The Swiss Enterprise Exposure Surface

Fortinet is one of the dominant security vendors in the Swiss enterprise and financial sector market. FortiClient and FortiClient EMS are widely deployed across industries including banking, insurance, healthcare, manufacturing, and public sector. The NCSC's mandatory incident reporting data for H2 2025 noted the financial sector as the most affected by critical infrastructure incidents — a sector with significant Fortinet deployment density.

The exposure profile for Swiss organisations depends on two factors: which version of FortiClient EMS is running, and whether the management interface is internet-exposed. Fortinet recommends that EMS management interfaces should never be directly exposed to the public internet — but in practice, particularly in SME environments or organisations that deployed EMS during the pandemic-era remote work expansion, external accessibility of management interfaces is not uncommon. Swiss organisations should treat any version of FortiClient EMS as potentially affected until patched, regardless of whether internet exposure is confirmed.

Immediate Response Actions

Fortinet's official guidance is to apply the emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6, available through the FortiGuard support portal. A full patch will be included in version 7.4.7. For organisations running 7.4.4, the appropriate response is to upgrade to the patched build rather than relying on any interim mitigation. The following actions should be completed within the next 24 hours, treating this as a P1 operational response.

Confirm your version immediately. Log into the FortiClient EMS admin console and verify the exact version running. If you are on 7.4.4, 7.4.5, or 7.4.6, you are in the affected range. Apply the hotfix or upgrade to 7.4.7 as soon as it is available.

Restrict network access to the EMS management interface. If the EMS management port (default TCP 8013 or 443 depending on deployment) is reachable from any network segment other than a dedicated management VLAN or jump host, implement an access control rule to restrict it immediately. Internet exposure must be eliminated before patching is complete.

Review EMS access logs for anomalous activity going back to 24 March. The confirmed exploitation window begins on 24 March for CVE-2026-21643 and 31 March for CVE-2026-35616. Pull authentication logs, API access logs, and administrative action logs for that period. Look for authentication events from unexpected source IPs, configuration changes not initiated by known administrators, and unusual endpoint policy pushes.

If compromise indicators are found, isolate and treat as a full incident. A compromised EMS server should not be remediated in place by patching alone. The management infrastructure should be isolated, forensically imaged, and rebuilt from a known-good state. Any endpoints that received policy updates during the suspect window should be investigated for tampered configurations.

◆ Key Takeaway

The response sequence is: verify version → restrict management network access → apply hotfix → review logs from 24 March onward → escalate if indicators of compromise are found. Do not treat patching alone as sufficient if the EMS was exposed during the exploitation window.

Regulatory Implications Under the Swiss ISA

Swiss organisations subject to the mandatory incident reporting obligation under the Information Security Act — which covers critical infrastructure operators across finance, energy, healthcare, transport, and telecommunications — must assess whether a confirmed or suspected compromise of their FortiClient EMS constitutes a reportable incident. The ISA requires notification to the NCSC within 24 hours of discovering a significant cyber incident affecting the availability, confidentiality, or integrity of systems essential to the organisation's critical functions.

A compromise of an endpoint management server that has authority over all managed workstations almost certainly meets the threshold for "significant impact on information systems." FINMA-supervised institutions face the additional obligation to report to FINMA within 24 hours of an incident detection, with the option of routing that notification through the NCSC for simultaneous forwarding as permitted under the coordination mechanism introduced with the ISA framework. Organisations that are uncertain about their reporting obligations in this scenario should consult their legal counsel and CISO before concluding that no report is required.

The Pattern Behind the Headlines

This is the third critical management-plane zero-day documented in this publication in five weeks: Cisco FMC in March, and now two consecutive Fortinet EMS vulnerabilities in April. The pattern is not coincidental. Security management infrastructure — the systems that have authority over the security controls protecting everything else — is an extremely high-value target for sophisticated threat actors, including ransomware groups. Compromise of a management plane provides both the access and the authority needed to disable defensive controls, stage data exfiltration, and deploy ransomware payloads at scale across an entire environment.

Swiss CISOs and security architects should take the pattern as a signal to audit the network exposure and patching posture of all security management infrastructure — not just FortiClient EMS. Firewall management consoles, SIEM platforms, EDR management servers, backup management interfaces, and privileged access management systems all represent the same category of high-value target. None of them should be internet-exposed. All of them should be on dedicated management network segments with access restricted to named, authenticated administrators via monitored jump hosts. The vulnerabilities change week to week. The architectural principle that limits their blast radius does not.