Fortinet has released an out-of-band patch for a critical security flaw affecting FortiClient EMS and announced that the flaw is being exploited in the wild.
This vulnerability is tracked as CVE-2026-35616 (CVSS score: 9.1) and is described as a pre-authentication API access bypass leading to privilege escalation.
“Improper Access Control Vulnerability [CWE-284] “FortiClient EMS could allow an unauthenticated attacker to execute malicious code or commands via a crafted request,” Fortinet said in an advisory on Saturday.
This issue affects FortiClient EMS versions 7.4.5 through 7.4.6. The company has released a hotfix to address this, which will be fully patched in the upcoming version 7.4.7.
Simo Kohonen and Nguyen Duc Anh of Defused Cyber are credited with discovering and reporting the flaw. Defused Cyber said in a post to X that it observed a zero-day exploit of CVE-2026-35616 earlier this week. According to watchTowr, the first exploitation attempt against CVE-2026-35616 was recorded against that honeypot on March 31, 2026.
Successful exploitation of this flaw could allow an unauthenticated attacker to bypass API authentication and authorization protections and execute malicious code or commands via a crafted request.
“Fortinet has observed this being exploited in the wild and is urging vulnerable customers to install the FortiClient EMS 7.4.5 and 7.4.6 hotfix,” the company added.
This development comes just days after another critical vulnerability in the recently patched FortiClient EMS (CVE-2026-21643, CVSS score: 9.1) was actively exploited. It is currently unclear whether the same actor is behind the exploitation of both flaws and whether they are being weaponized together.
Given the severity of the vulnerability, users are encouraged to update FortiClient EMS to the latest version as soon as possible.
“The timing of this increase in real-world exploitation of zero-days is probably no coincidence,” watchTowr CEO and founder Benjamin Harris told Hacker News.
“Adversaries have repeatedly shown that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the time window between compromise and detection can stretch from hours to days. Like any holiday, Easter represents an opportunity.”
“What’s disappointing is the big picture. This is the second uncertified vulnerability in FortiClient EMS in recent weeks.”
“So, again, organizations running FortiClient EMS and exposed to the internet should treat this as an emergency response situation, not something to respond to on a Tuesday morning. Apply the hotfix. Attackers already have a head start.”
Source link
