Urgent Warning: Critical Fortinet FortiClient EMS Zero-Day Actively Exploited
Fortinet has issued an emergency hotfix following the disclosure of a critical zero-day vulnerability in its FortiClient EMS product. This flaw, actively exploited by threat actors in the wild, poses a severe risk to organizations, particularly those with internet-exposed deployments of FortiClient EMS.
Understanding the Critical FortiClient EMS Zero-Day
Tracked as CVE-2026-35616 and assigned a CVSSv3 score of 9.1 (Critical), this vulnerability allows unauthenticated attackers to completely bypass API authentication and authorization controls. This breach effectively grants them the ability to execute arbitrary code or commands on vulnerable systems.
Categorized under CWE-284 (Improper Access Control), the vulnerability resides within the API layer of the FortiClient Endpoint Management Server (EMS). Its severity is amplified by the fact that successful exploitation requires no prior authentication, user interaction, or elevated privileges. An unauthenticated remote attacker can simply send specially crafted API requests to gain full control over endpoint management operations.
The attack vector is network-based, characterized by low complexity, and its impact spans confidentiality, integrity, and availability, directly contributing to its near-maximum CVSS rating. Fortinet’s advisory, FG-IR-26-099, highlights privilege escalation as the primary impact and confirms active in-the-wild exploitation.
Immediate Action Required: Patching Your FortiClient EMS
Fortinet has acted swiftly to address this critical issue:
- Affected Versions: Only FortiClient EMS versions 7.4.5 and 7.4.6 are vulnerable.
- Unaffected Versions: FortiClient EMS 7.2.x is NOT affected and requires no action regarding this specific vulnerability.
- Permanent Fix: The upcoming FortiClient EMS 7.4.7 release will incorporate a permanent resolution.
- Emergency Hotfixes: Fortinet has immediately released emergency hotfixes for both affected branches (7.4.5 and 7.4.6) while the 7.4.7 release is being finalized.
Fortinet strongly urges all customers running affected versions of FortiClient EMS to apply the emergency hotfix without delay. Detailed installation instructions can be found in the official FortiClient EMS release notes for each affected build:
- For FortiClient EMS 7.4.5: Refer to the hotfix instructions in the 7.4.5 EMS release notes via the Fortinet documentation portal.
- For FortiClient EMS 7.4.6: Refer to the hotfix instructions in the 7.4.6 EMS release notes via the Fortinet documentation portal.
Recommended Mitigation Steps:
- Apply Hotfixes Immediately: Prioritize patching your FortiClient EMS deployments.
- Monitor Logs: Regularly scrutinize your EMS logs for any anomalous API activity, especially unauthenticated requests, which could indicate prior exploitation attempts.
- Restrict External Access: Where feasible, limit external access to the EMS management interface at the network perimeter. This adds a crucial layer of defense while patching is underway.
Discovery and Disclosure
The critical vulnerability was brought to light by Simo Kohonen from threat intelligence firm Defused, alongside independent researcher Nguyen Duc Anh. Defused played a crucial role, observing active in-the-wild exploitation of the flaw earlier this week before responsibly reporting it to Fortinet.
Defused made this discovery using their innovative “Radar” feature, an upcoming tool designed to surface novel exploitation activity in real time, set to launch next week. The rapid response from Fortinet, publishing its advisory and releasing the emergency hotfix on April 4, 2026, underscores the severity and urgency of this FortiClient EMS zero-day.
🚨 New Fortinet vulnerability being exploited as an 0-day
CVE-2026-35616 – FortiClient EMS pre-authentication API access bypass – CVSS 9.1 Critical
After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under… pic.twitter.com/GUk5fCAx91 — Defused (@DefusedCyber) April 4, 2026
