CVE-2026-35616

Name of the Vulnerable Software and Affected Versions FortiClient EMS versions 7.2.0 through 7.2.2 FortiClient EMS versions 7.4.0 through 7.4.6

Description An improper access control issue in the FortiClient Enterprise Management Server (EMS) allows an unauthenticated remote attacker to execute arbitrary code or commands. The flaw is a SQL Injection (improper neutralization of special elements used in SQL commands) within the FCT DAS.exe (Data Analytics Service) component, specifically affecting the DAS messaging protocol. By sending crafted HTTP requests, an attacker can trigger the xp cmdshell extended stored procedure in the underlying Microsoft SQL Server to gain SYSTEM-level access to the management server. This can lead to full compromise of the EMS infrastructure, allowing attackers to push malware to all managed endpoints, steal sensitive data, and move laterally through the network. Approximately 100 internet-exposed instances were observed during opportunistic mass scanning. Real-world exploitation has been confirmed, with financially motivated groups such as Storm-1175 using the flaw to deploy Medusa Ransomware.

Recommendations For versions 7.2.0 through 7.2.2, upgrade to version 7.2.3. For versions 7.4.0 through 7.4.6, upgrade to version 7.4.7 or apply the emergency hotfix FG-IR-26-099. As a temporary mitigation, restrict access to management ports 443 and 10443 to trusted IP addresses only. Remove the EMS server from direct internet exposure by requiring a VPN or strict allowlists. Implement network segmentation to limit administrative access to the management plane. Rotate and reset all administrative credentials and enforce multi-factor authentication (MFA). Monitor SQL Server logs for unauthorized execution of xp cmdshell or sp configure and scan the web root directory for unauthorized .php or .asp files.