FortiClient EMS Flaw Exploited; Emergency Patch Released
Fortinet has issued an emergency security update addressing a significant vulnerability in the FortiClient Enterprise Management Server (EMS). This vulnerability, identified as CVE-2026-35616, poses a serious risk as it is actively being exploited in the wild.
Details of the Vulnerability
The flaw is categorized as an improper access control vulnerability, enabling unauthorized attackers to execute commands through specially crafted requests. Fortinet confirmed the patch was released on Saturday after acknowledging active exploitation of this vulnerability.
Impacted Versions
- FortiClient EMS 7.4.5
- FortiClient EMS 7.4.6
Fortinet advises that users of these specific versions should install the hotfix immediately. The vulnerability is expected to be comprehensively fixed in the forthcoming FortiClient EMS version 7.4.7. Notably, FortiClient EMS 7.2 is not affected by this flaw.
Discovery and Responsible Disclosure
The vulnerability was discovered by the cybersecurity firm Defused. They characterized it as a pre-authentication API access bypass, allowing potential intruders to disregard authentication and authorization protocols entirely. Earlier this week, Defused observed the exploitation of the flaw as a zero-day before responsibly disclosing it to Fortinet.
Exposed Instances and Recommendations
Research by the internet security watchdog Shadowserver revealed over 2,000 exposed FortiClient EMS instances on the internet, predominantly located in the United States and Germany. Fortinet emphasizes the urgency for all affected customers to apply the hotfixes without delay or to upgrade to version 7.4.7 once available to protect against potential breaches.
Related Vulnerabilities
This recent flaw follows another critical issue reported last week, known as CVE-2026-21643, which is also in active exploitation. Both vulnerabilities were discovered by Defused, with Fortinet recognizing Nguyen Duc Anh’s contributions regarding the latest flaw.
