New FortiClient EMS flaw exploited in attacks, emergency patch released
Fortinet releases emergency patch for actively exploited FortiClient EMS pre-auth RCE flaw.
Summary
Fortinet released an emergency weekend security update for CVE-2026-35616, a critical pre-authentication API access bypass vulnerability in FortiClient EMS 7.4.5 and 7.4.6 that allows unauthenticated remote code execution. The flaw was discovered by cybersecurity firm Defused and is actively being exploited in the wild; Shadowserver identified over 2,000 exposed instances online, primarily in the USA and Germany. Fortinet urges immediate installation of hotfixes or upgrade to FortiClientEMS 7.4.7 when available.
Full text
New FortiClient EMS flaw exploited in attacks, emergency patch released By Lawrence Abrams April 5, 2026 02:45 PM 0 Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks. Tracked as CVE-2026-35616, the flaw is an improper access control vulnerability that allows unauthenticated attackers to execute code or commands via specially crafted requests. The issue was patched Saturday, with Fortinet confirming it has been exploited in the wild. "Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6," warns Fortinet. Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5 https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6 The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7. FortiClient EMS 7.2 is not affected. The flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely. Defused shared on X that they observed the flaw being exploited as a zero-day earlier this week before reporting it to Fortinet under responsible disclosure. Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany. The vulnerability follows a separate critical FortiClient EMS flaw, CVE-2026-21643, reported last week and also actively exploited in attacks. Both vulnerabilities were discovered by Defused, with Fortinet also crediting Nguyen Duc Anh for the latest flaw. Fortinet is urging customers to apply the hotfixes immediately or upgrade to version 7.4.7 when it becomes available to mitigate the risk of compromise. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Critical Fortinet Forticlient EMS flaw now exploited in attacksCritical Citrix NetScaler memory flaw actively exploited in attacksCISA: New Langflow flaw actively exploited to hijack AI workflowsCISA orders feds to patch max-severity Cisco flaw by SundayWordPress membership plugin bug exploited to create admin accounts
Indicators of Compromise
- cve — CVE-2026-35616
- cve — CVE-2026-21643