Critical flaw in FortiClient EMS under exploitation
Critical flaw in FortiClient EMS under exploitation
https://www.cybersecuritydive.com/news/critical-flaw-forticlient-ems-exploitation/816699/
Publish Date: 2026-04-06 11:01:00
Source Domain: www.cybersecuritydive.com
Fortinet on Saturday warned that a critical zero-day vulnerability in its FortiClient Endpoint Management Server platform is under active exploitation.
The improper access control vulnerability, tracked as CVE-2026-35616, allows an unauthenticated attacker to execute unauthorized code or commands by using specially crafted requests.
Fortinet urged customers to immediately install an emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6. in an advisory issued Saturday. The upcoming FortiClient EMS 7.4.7 release will include a patched version, but in the meantime, the emergency hotfixes should solve the problem, according to the company.
The company did not specify how long it would take for the 7.4.7 version to be released.
Researchers at the vulnerability research firm Defused reported the issue to Fortinet after detecting in-the-wild exploitation activity through its honeypots last week, according to a post on LinkedIn.
“This vulnerability allows attackers to bypass authentication by spoofing a specific access header and, through this, getting access to the back end,” Defused founder and CEO Simo Kohonen told Cybersecurity Dive.
Fortinet acknowledged the vulnerability on Friday and released the advisory on Saturday, Kohonen said. Fortinet also thanked researcher Nguyen Duc Anh for additional work to disclose the flaw.
Shadowserver Foundation on Sunday warned that CVE-2026-3516, as well as CVE-2026-21643, an improper neutralization of special elements flaw in FortiClient EMS 7.4.4, are both being exploited in the wild.
Researchers at watchTowr warned the rapid succession of security flaws, combined with the Easter holiday weekend, could make mitigation of the ForiClient vulnerabilities more challenging.
“This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks,” watchTowr CEO Benjamin Harris told Cybersecurity Dive. “So, once again, organizations…
