Fortinet has urgently released out-of-band patches to address a critical security flaw in FortiClient EMS, which has been actively exploited. The vulnerability, identified as CVE-2026-35616, carries a CVSS score of 9.1 and involves an API access bypass that leads to privilege escalation.
The company detailed in a recent advisory that this improper access control vulnerability in FortiClient EMS could allow an attacker without authentication to execute unauthorized commands through specially crafted requests. The flaw impacts versions 7.4.5 through 7.4.6, with a complete fix planned for version 7.4.7. A hotfix is currently available to mitigate the issue.
Discovery and Exploitation
The vulnerability was discovered by Simo Kohonen from Defused Cyber and Nguyen Duc Anh. Defused Cyber reported observing zero-day exploitation of CVE-2026-35616. According to watchTowr, exploitation attempts were first detected on its honeypots on March 31, 2026, highlighting the urgency of the patch.
Fortinet confirmed witnessing active exploitation and strongly advises affected users to apply the hotfix immediately. This alert comes shortly after another critical vulnerability, CVE-2026-21643, also faced active attacks, though it remains unclear if the same threat actors are responsible for both incidents.
Impact and Recommendations
Exploiting this flaw allows attackers to bypass API protections, executing malicious commands. Fortinet emphasizes the need for users to update FortiClient EMS to the latest version to prevent unauthorized access.
watchTowr’s CEO, Benjamin Harris, commented on the timing of the exploitation, noting that attackers often exploit vulnerabilities during holiday periods when security teams are less vigilant. This pattern represents a significant risk for organizations using FortiClient EMS.
Conclusion and Future Outlook
The emergence of multiple vulnerabilities in a short period underscores the importance of prompt action. Organizations should consider this a critical emergency response, rather than a routine update task. Immediate application of the hotfix is crucial to secure systems against ongoing threats.
The cybersecurity community continues to watch for further developments, as the exploitation of these vulnerabilities highlights the persistent threat landscape facing enterprise systems.
