PT-2026-30288 · Fortinet · Forticlientems
Published
2026-04-04
·
Updated
2026-07-09
·
CVE-2026-35616
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FortiClient EMS versions 7.2.0 through 7.2.2
FortiClient EMS versions 7.4.x
Description
An improper access control vulnerability exists in the FortiClient Enterprise Management Server (EMS) that allows unauthenticated remote attackers to execute arbitrary code or commands. The issue stems from a SQL Injection (CWE-89) within the
FCT DAS.exe (Data Analytics Service) component, where the service fails to sanitize input in the DAS messaging protocol. Attackers can send crafted HTTP requests to trigger the xp cmdshell extended stored procedure in the underlying Microsoft SQL Server, granting them SYSTEM-level access to the management server.This flaw has been exploited in the wild, with approximately 100 internet-exposed instances observed. Threat actors, including the group Storm-1175, have used this as a launchpad to deploy Medusa Ransomware and EKZ Infostealer. In some campaigns, attackers subverted the EMS patch distribution engine to push the infostealer to all managed endpoints disguised as an official security patch. The EKZ Infostealer targets browser credentials and session cookies from Chromium and Gecko-based browsers via PowerShell scripts.
Recommendations
Upgrade FortiClient EMS to version 7.2.3 or 7.4.1, or apply the specific emergency hotfix provided by Fortinet.
Restrict access to management ports (typically 443 and 10443) to trusted IP addresses only.
Remove the EMS server from direct internet exposure and require VPN access or strict allowlists.
Implement network segmentation to restrict administrative access to the EMS server.
Audit SQL Server logs for unauthorized execution of
xp cmdshell or sp configure.
Scan the EMS web root directory for unauthorized .php or .asp files.
Verify that no unauthorized endpoint policies have been created to disable security features like Real-time Protection or Cloud Sandbox.
Rotate and reset administrative credentials and enforce multi-factor authentication (MFA) for admin accounts.Exploit
Fix
RCE
LPE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Forticlientems