Critical flaw in FortiClient EMS under exploitation - Cybersecurity Dive

Critical flaw in FortiClient EMS under exploitation Fortinet released an emergency hotfix after security researchers discovered the vulnerability being exploited as a zero-day. Published April 6, 2026 David Jones Reporter Share License Add us on Google Fortinet’s headquarters in Sunnyvale, Calif. The company has released a hotfix for a critical vulnerabiilty in FortiClient EMS. Courtesy of Fortinet Fortinet on Saturday warned that a critical zero-day vulnerability in its FortiClient Endpoint Management Server platform is under active exploitation.  The improper access control vulnerability, tracked as CVE-2026-35616, allows an unauthenticated attacker to execute unauthorized code or commands by using specially crafted requests. Fortinet urged customers to immediately install an emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6. in an advisory issued Saturday. The upcoming FortiClient EMS 7.4.7 release will include a patched version, but in the meantime, the emergency hotfixes should solve the problem, according to the company.  The company did not specify how long it would take for the 7.4.7 version to be released.  Researchers at the vulnerability research firm Defused reported the issue to Fortinet after detecting in-the-wild exploitation activity through its honeypots last week, according to a post on LinkedIn. “This vulnerability allows attackers to bypass authentication by spoofing a specific access header and, through this, getting access to the back end,” Defused founder and CEO Simo Kohonen told Cybersecurity Dive. Fortinet acknowledged the vulnerability on Friday and released the advisory on Saturday, Kohonen said. Fortinet also thanked researcher Nguyen Duc Anh for additional work to disclose the flaw.  Shadowserver Foundation on Sunday warned that CVE-2026-35616, as well as CVE-2026-21643, an improper neutralization of special elements flaw in FortiClient EMS 7.4.4, are both being exploited in the wild.  The Cybersecurity and Infrastructure Security Agency on Monday added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog. Researchers at watchTowr warned the rapid succession of security flaws, combined with the Easter holiday weekend, could make mitigation of the ForiClient vulnerabilities more challenging.  “This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks,” watchTowr CEO Benjamin Harris told Cybersecurity Dive. “So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning.” CVE-2026-21643 was originally disclosed in February by Fortinet’s product security team. Defused on March 28 said it had detected that the vulnerability was under active exploitation since March 24. Shadowserver is tracking about 2,000 exposed instances of FortiClient EMS across the globe, with the U.S. and Germany the leading countries visible. Editor’s note: Updates with new information from CISA. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Vulnerability