Critical Zero-Day in Fortinet FortiClient EMS Under Active Exploitation
Fortinet has released an emergency hotfix for a critical zero-day vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS), which is being actively exploited in the wild. The flaw, rated 9.1 on the CVSSv3 scale, allows unauthenticated attackers to bypass API authentication and authorization controls, enabling arbitrary code or command execution on vulnerable systems.
The vulnerability, classified as CWE-284 (Improper Access Control), affects the API layer of FortiClient EMS. Exploitation requires no prior authentication, user interaction, or elevated privileges, making it a severe risk for organizations with internet-exposed EMS deployments. Attackers can send crafted API requests to gain full control over endpoint management operations, compromising confidentiality, integrity, and availability.
Only FortiClient EMS versions 7.4.5 and 7.4.6 are impacted; version 7.2.x remains unaffected. Fortinet has released emergency hotfixes for the vulnerable versions, with a permanent fix expected in the upcoming FortiClient EMS 7.4.7. The flaw was discovered by security researchers Simo Kohonen of Defused and independent researcher Nguyen Duc Anh, who observed active exploitation before reporting it to Fortinet under responsible disclosure.
Fortinet published its advisory (FG-IR-26-099) and released the hotfix on April 4, 2026. Organizations are advised to apply the patch immediately and monitor EMS logs for suspicious unauthenticated API activity. Restricting external access to the EMS management interface can provide additional protection while patching is underway.
Source: https://cybersecuritynews.com/fortinet-forticlient-ems-0-day/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1775312783",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations with '
'internet-exposed EMS '
'deployments',
'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'Vendor'}],
'attack_vector': 'Unauthenticated API requests',
'date_publicly_disclosed': '2026-04-04',
'description': 'Fortinet has released an emergency hotfix for a critical '
'zero-day vulnerability (CVE-2026-35616) in FortiClient '
'Endpoint Management Server (EMS), which is being actively '
'exploited in the wild. The flaw allows unauthenticated '
'attackers to bypass API authentication and authorization '
'controls, enabling arbitrary code or command execution on '
'vulnerable systems.',
'impact': {'data_compromised': 'Confidentiality, integrity, and availability '
'of endpoint management operations',
'operational_impact': 'Full control over endpoint management '
'operations',
'systems_affected': 'FortiClient EMS versions 7.4.5 and 7.4.6'},
'post_incident_analysis': {'corrective_actions': 'Emergency hotfixes and '
'permanent patch in upcoming '
'release',
'root_causes': 'Improper Access Control (CWE-284) '
'in API layer'},
'recommendations': 'Apply the patch immediately and monitor EMS logs for '
'suspicious unauthenticated API activity. Restrict '
'external access to the EMS management interface while '
'patching is underway.',
'references': [{'source': 'Fortinet Advisory'},
{'source': 'Simo Kohonen (Defused)'},
{'source': 'Nguyen Duc Anh (Independent Researcher)'}],
'response': {'communication_strategy': 'Advisory (FG-IR-26-099) published',
'containment_measures': 'Restricting external access to the EMS '
'management interface',
'enhanced_monitoring': 'Monitoring EMS logs for suspicious '
'unauthenticated API activity',
'remediation_measures': 'Emergency hotfixes released for '
'versions 7.4.5 and 7.4.6; permanent fix '
'expected in FortiClient EMS 7.4.7'},
'title': 'Critical Zero-Day in Fortinet FortiClient EMS Under Active '
'Exploitation (CVE-2026-35616)',
'type': 'Zero-Day Exploitation',
'vulnerability_exploited': 'CVE-2026-35616 (CWE-284: Improper Access Control)'}