Fortinet has swiftly released an emergency patch following the disclosure of a critical zero-day vulnerability in its FortiClient Endpoint Management Server (EMS). Security experts have confirmed that this vulnerability, identified as CVE-2026-35616, is already being actively exploited by cyber attackers.
Understanding the Vulnerability
Rated a severe 9.1 on the CVSSv3 scale, the flaw allows attackers to completely bypass API authentication and authorization controls in FortiClient EMS. This lapse in security enables them to execute arbitrary commands or code on affected systems without requiring any authentication or user interaction.
The issue is categorized under CWE-284, indicating improper access control within the EMS API layer. The vulnerability poses a significant risk to organizations with internet-facing EMS deployments due to its ease of exploitation and potential for widespread impact on confidentiality, integrity, and availability.
Active Exploitation and Vendor Response
Fortinet has confirmed active exploitation of this vulnerability in the wild. The vendor’s advisory (FG-IR-26-099) highlights privilege escalation as a primary risk. Only FortiClient EMS versions 7.4.5 and 7.4.6 are impacted, with a fix slated for the upcoming 7.4.7 release. In the interim, Fortinet has issued hotfixes for these versions.
The vulnerability was uncovered by Simo Kohonen from Defused and independent researcher Nguyen Duc Anh. Defused reported the exploitation after detecting unusual activity through their soon-to-be-released Radar feature, which monitors emerging threats in real time.
Mitigation and Future Security Measures
Fortinet has urged all users of the affected EMS versions to apply the emergency hotfix without delay. Detailed installation instructions are available in the Fortinet documentation portal for each version. Monitoring EMS logs for any unusual API activity is also recommended to identify potential exploitation attempts.
Additionally, organizations are advised to restrict external access to the EMS management interface as a precautionary measure while applying the necessary patches. This step can help mitigate risk by minimizing potential attack vectors.
For continuous updates on cybersecurity threats, follow Fortinet’s official channels. Ensuring prompt application of security patches is crucial to safeguarding systems against such vulnerabilities.
