New FortiClient EMS flaw exploited in attacks, emergency patch released

Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks.

Tracked as CVE-2026-35616, the flaw is an improper access control vulnerability that allows unauthenticated attackers to execute code or commands via specially crafted requests.

The issue was patched Saturday, with Fortinet confirming it has been exploited in the wild.

“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” warns Fortinet.

Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes:

The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7. FortiClient EMS 7.2 is not affected.

The flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely.

Defused shared on X that they observed the flaw being exploited as a zero-day earlier this week before reporting it to Fortinet under responsible disclosure.

Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany.

The vulnerability follows a separate critical FortiClient EMS flaw, CVE-2026-21643, reported last week and also actively exploited in attacks.

Both vulnerabilities were discovered by Defused, with Fortinet also crediting Nguyen Duc Anh for the latest flaw.

Fortinet is urging customers to apply the hotfixes immediately or upgrade to version 7.4.7 when it becomes available to mitigate the risk of compromise.