New FortiClient EMS flaw exploited in attacks, emergency patch released

Published:

5 april 2026 om 18:45:17

Alert date:

5 april 2026 om 19:00:41

Source:

bleepingcomputer.com

Enterprise Applications, Zero-Day Vulnerabilities, Security Tools

Fortinet released an emergency security update for a critical FortiClient Enterprise Management Server (EMS) vulnerability CVE-2026-35616 that is being actively exploited in attacks. The flaw affects FortiClient EMS and requires immediate patching. An emergency patch was released over the weekend to address the active exploitation. Organizations using FortiClient EMS are urged to apply the security update immediately to prevent compromise. The vulnerability represents a significant security risk given the active exploitation in the wild.

Technical details

CVE-2026-35616 is an improper access control vulnerability in FortiClient Enterprise Management Server (EMS) that allows unauthenticated attackers to execute code or commands via specially crafted requests. The flaw is described as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely. The vulnerability was exploited as a zero-day before being reported under responsible disclosure.

Mitigation steps:

Install hotfixes immediately for FortiClient EMS 7.4.5 and 7.4.6 using the provided release notes links, or upgrade to version 7.4.7 when it becomes available. Fortinet urges vulnerable customers to apply patches immediately to mitigate the risk of compromise. Over 2,000 exposed FortiClient EMS instances have been identified online, with the majority in USA and Germany.

Affected products:

FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6