“`html
Fortinet has released an urgent hotfix after researchers unveiled a significant zero-day flaw in FortiClient EMS that is currently being actively utilized by malicious actors.
Designated as CVE-2026-35616 and possessing a CVSSv3 rating of 9.1 (Critical), the vulnerability allows unauthorized attackers to bypass authentication and authorization controls within the API, thereby enabling them to run arbitrary code or commands on susceptible systems.
This vulnerability, categorized under CWE-284 (Improper Access Control), exists in the API layer of FortiClient Endpoint Management Server (EMS).
Successful exploitation does not require any previous authentication, user interaction, or privileged access, making it especially perilous for organizations with EMS deployments exposed to the internet.
An unauthorized remote attacker can send specially crafted API requests that bypass all authentication and authorization verifications, resulting in full control over endpoint management activities.
The attack vector is network-based, the complexity remains low, and the ramifications affect confidentiality, integrity, and availability, which collectively contribute to its near-maximum CVSS score.
Fortinet’s advisory (FG-IR-26-099) outlines the primary consequence of the vulnerability as privilege escalation, with confirmed exploitation in-the-wild reported by the vendor.
Fortinet FortiClient EMS 0-Day
Only versions 7.4.5 and 7.4.6 of FortiClient EMS are impacted. Version 7.2.x is unaffected and does not require action. The forthcoming FortiClient EMS 7.4.7 will provide a lasting solution, but Fortinet has made urgent hotfixes accessible immediately for both affected branches as that release is finalized.
The flaw was identified by Simo Kohonen from the threat intelligence company Defused and independent researcher Nguyen Duc Anh.
Defused noted active exploitation of the flaw earlier this week before reporting it to Fortinet under responsible disclosure practices. The discovery was facilitated through Defused’s forthcoming Radar feature, scheduled for launch next week, designed to reveal new exploitation activities in real time.
Upon receipt of the report, Fortinet acted rapidly, issuing its advisory and releasing the urgent hotfix on April 4, 2026, the same day as the initial report.
Fortinet strongly recommends that all customers operating affected versions implement the urgent hotfix without delay. Comprehensive installation instructions are accessible through the official FortiClient EMS release notes for each impacted build:
- FortiClient EMS 7.4.5: Follow the hotfix instructions in the 7.4.5 EMS release notes via the Fortinet documentation portal
- FortiClient EMS 7.4.6: Follow the hotfix instructions in the 7.4.6 EMS release notes via the Fortinet documentation portal
Organizations should also keep track of their EMS logs for unusual API activity, particularly unauthenticated requests that may signify previous exploitation attempts.
When feasible, limiting external access to the EMS management interface at the network perimeter adds a significant layer of defense while patching is conducted.
“`