Search

New Fortinet FortiClient EMS Flaw Exploited in Attacks as Emergency Patch Is Released

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Universities

California’s university sector depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s High-Tech Manufacturing Industry

California’s high-tech manufacturing sector sits at the intersection of...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s Manufacturing Industry

California’s manufacturing sector spans consumer products, semiconductor equipment, storage...
Read more
Cyber threats and incidents

Microsoft Links Medusa Ransomware Affiliate to Zero-Day and N-Day Exploits in Rapid Attacks

What happened Microsoft said Storm-1175, a China-based financially motivated threat...
Read more
Cyber threats and incidents

BlueHammer Windows Zero-Day Exploit Leaked After Microsoft Disclosure Dispute

What happened A leaked exploit dubbed BlueHammer has exposed an...
Read more

Share

What happened

A new Fortinet FortiClient EMS flaw is being exploited in attacks, prompting an emergency weekend patch from Fortinet. The vulnerability, tracked as CVE-2026-35616, is an improper access control issue that allows unauthenticated attackers to execute code or commands through specially crafted requests. Fortinet said the flaw affects FortiClient EMS versions 7.4.5 and 7.4.6 and confirmed that it has been exploited in the wild. The company released hotfixes on Saturday and said the issue will also be addressed in the upcoming FortiClient EMS 7.4.7 release. Defused, which discovered the issue, described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely. The company also said FortiClient EMS 7.2 is not affected. 

Who is affected

The direct exposure affects organizations running FortiClient EMS versions 7.4.5 and 7.4.6, especially internet-exposed deployments. Shadowserver said it found more than 2,000 exposed FortiClient EMS instances online, with most located in the United States and Germany. 

Why CISOs should care

This matters because the flaw allows unauthenticated code or command execution against an enterprise management platform that may already be exposed to the internet. It also follows another critical FortiClient EMS flaw, CVE-2026-21643, that was reported last week and was also being actively exploited, underscoring continued pressure on this product line. 

3 practical actions

  1. Apply the emergency hotfix immediately: Install the hotfixes for affected FortiClient EMS 7.4.5 and 7.4.6 systems or upgrade to FortiClient EMS 7.4.7 when it becomes available. 
  2. Prioritize exposed management servers: Identify any internet-facing FortiClient EMS deployments and move them to the front of the remediation queue given the confirmed in-the-wild exploitation. 
  3. Treat this as a live compromise risk: Review affected environments for signs of unauthorized access because Fortinet and Defused said exploitation was already observed before disclosure. 

For more news about security flaws under active exploitation, click Vulnerability to read more.

Previous article
New Progress ShareFile Bugs Let Attackers Take Over Servers Without Logging In
Next article
Traffic Violation Scams Shift to QR Codes in New Phishing Text Campaign
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Universities

California’s university sector depends on cybersecurity leaders who can...
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s High-Tech Manufacturing Industry

California’s high-tech manufacturing sector sits at the intersection of...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.