Fortinet has swiftly responded to a critical vulnerability discovered in its FortiClient Enterprise Management Server (EMS), releasing urgent fixes over the weekend. The security flaw, identified as CVE-2026-35616, is of critical severity with a CVSS score of 9.1, potentially allowing remote code execution (RCE).
Details of the Vulnerability
The vulnerability arises from improper access control, which remote attackers can exploit by sending specially crafted requests to a vulnerable FortiClient EMS. Notably, the exploit does not require authentication, making it highly dangerous. Fortinet has confirmed the flaw has been exploited in real-world attacks.
To combat this, Fortinet released hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6, while confirming that version 7.2 remains unaffected. Detailed instructions for applying the hotfixes have been made available by the company.
Action Taken by Fortinet
Fortinet has asserted that the forthcoming FortiClient EMS 7.4.7 version will also contain a resolution for this issue. In the interim, the hotfixes are sufficient to mitigate the vulnerability. The cybersecurity firm credited “Defused” for discovering and responsibly reporting the flaw, which allows attackers to bypass API authentication and authorization without credentials.
According to the cybersecurity firm, Defused noticed active exploitation of this vulnerability and promptly informed Fortinet, adhering to responsible disclosure practices.
Exposure and Implications
The Shadowserver Foundation, a non-profit organization dedicated to improving internet security, reported the presence of approximately 2,000 FortiClient EMS instances accessible online, which may be vulnerable to attacks leveraging the new zero-day and another recently patched SQL injection vulnerability, CVE-2026-21643.
The discovery of such vulnerabilities highlights the ongoing threat landscape cyber infrastructures face, emphasizing the need for continuous monitoring and immediate action to safeguard systems against unauthorized access.
Further Reading: Similar vulnerabilities have been exploited in recent attacks, including the TrueConf zero-day used in Asian government breaches and the React2Shell campaign targeting credential data at scale.
Conclusion
Fortinet’s rapid response to this zero-day vulnerability underscores the critical nature of timely security patches in protecting digital environments. Organizations using FortiClient EMS should apply the hotfixes immediately to secure their systems against potential exploits.
