Home / Blog / Fortinet CVE-2026-35616 Alert
Security April 06, 2026

Fortinet CVE-2026-35616: Critical SQL Injection in FortiClient EMS Under Active APT Exploitation

Dillip Chowdary

Dillip Chowdary

Founder & Lead Analyst

Security administrators are facing another high-stakes patching cycle as Fortinet has issued an emergency advisory for CVE-2026-35616. This critical vulnerability, which carries a CVSS score of 9.1, is a SQL injection flaw residing in the FortiClient Endpoint Management Server (EMS). Most concerningly, the vulnerability is reportedly under active exploitation by Advanced Persistent Threat (APT) groups, who are using it as a gateway for Remote Code Execution (RCE) on high-value enterprise networks.

Technical Breakdown: The SQLi-to-RCE Chain

The root cause of CVE-2026-35616 is improper neutralization of special elements in SQL commands within the FCTDS.exe component of FortiClient EMS. Specifically, the vulnerability exists in the handling of unauthenticated requests to certain API endpoints used for endpoint registration and heartbeat telemetry.

An attacker can craft a malicious HTTP request containing an injected SQL string. Because the EMS database (typically Microsoft SQL Server) is often configured with high privileges to manage endpoint policies, a successful SQL injection can be escalated to full system compromise. By leveraging the xp_cmdshell stored procedure or similar database-level execution features, attackers can transition from a simple database query to executing arbitrary commands on the underlying Windows Server hosting the EMS.

Active Exploitation: APT Activity and Indicators

Threat intelligence firms have observed APT groups—specifically those historically linked to state-sponsored espionage—incorporating this exploit into their playbooks. The attack pattern involves an initial scan for exposed EMS portals (typically on port 4443), followed by a targeted injection attempt to drop a web shell or persistent backdoor.

Indicators of Compromise (IoCs) include:

  • Unusual SQL error logs in the MS SQL Server logs associated with the FortiClient EMS database.
  • Unexpected outbound connections from the EMS server to unknown IP addresses on ports 80, 443, or 8080.
  • New, unauthorized administrative users created within the FortiClient EMS console.
  • The presence of suspicious .exe or .ps1 files in the C:\Program Files (x86)\Fortinet\FortiClientEMS\ directory.

The Impact on Zero Trust Architecture

The exploitation of FortiClient EMS is particularly damaging because the EMS is the "brain" of a Zero Trust deployment. It is responsible for verifying the posture of thousands of endpoints before granting them access to internal resources. If the EMS is compromised, an attacker can effectively "greenlight" malicious devices or disable security policies across the entire organization, rendering other security controls moot.

Remediation: Patching and Mitigation

Fortinet has released v7.2.5 of FortiClient EMS to address this flaw. Organizations running vulnerable versions (specifically v7.2.0 through v7.2.4 and v7.0.x) are urged to update immediately.

If immediate patching is not possible, the following mitigation steps are recommended:

  1. Restrict Access: Use a Web Application Firewall (WAF) to block common SQL injection patterns (e.g., ' OR 1=1, ; SHUTDOWN) targeting the EMS endpoints.
  2. IP Whitelisting: Limit access to the EMS management interface to known, trusted administrative IP addresses.
  3. Database Hardening: Ensure that the SQL Server service account running the EMS database has the minimum necessary privileges. Disable xp_cmdshell if it is not explicitly required for your environment's functionality.

Conclusion: The Eternal Arms Race

The discovery and active exploitation of CVE-2026-35616 serves as a stark reminder that even the tools we use to secure our networks can become vectors for attack. SQL injection, a vulnerability class that has existed for decades, continues to be a viable path for RCE when input validation is overlooked in critical components.

As APT groups become more agile, the window between vulnerability disclosure and active exploitation is closing. For security teams, the message is clear: the integrity of your Endpoint Management system is paramount. Update to v7.2.5 today, or risk becoming the next entry in a global breach report.