What happened
A new Fortinet FortiClient EMS flaw is being exploited in attacks, prompting an emergency weekend patch from Fortinet. The vulnerability, tracked as CVE-2026-35616, is an improper access control issue that allows unauthenticated attackers to execute code or commands through specially crafted requests. Fortinet said the flaw affects FortiClient EMS versions 7.4.5 and 7.4.6 and confirmed that it has been exploited in the wild. The company released hotfixes on Saturday and said the issue will also be addressed in the upcoming FortiClient EMS 7.4.7 release. Defused, which discovered the issue, described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely. The company also said FortiClient EMS 7.2 is not affected.Â
Who is affected
The direct exposure affects organizations running FortiClient EMS versions 7.4.5 and 7.4.6, especially internet-exposed deployments. Shadowserver said it found more than 2,000 exposed FortiClient EMS instances online, with most located in the United States and Germany.Â
Why CISOs should care
This matters because the flaw allows unauthenticated code or command execution against an enterprise management platform that may already be exposed to the internet. It also follows another critical FortiClient EMS flaw, CVE-2026-21643, that was reported last week and was also being actively exploited, underscoring continued pressure on this product line.Â
3 practical actions
- Apply the emergency hotfix immediately: Install the hotfixes for affected FortiClient EMS 7.4.5 and 7.4.6 systems or upgrade to FortiClient EMS 7.4.7 when it becomes available.Â
- Prioritize exposed management servers: Identify any internet-facing FortiClient EMS deployments and move them to the front of the remediation queue given the confirmed in-the-wild exploitation.Â
- Treat this as a live compromise risk: Review affected environments for signs of unauthorized access because Fortinet and Defused said exploitation was already observed before disclosure.Â
For more news about security flaws under active exploitation, click Vulnerability to read more.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.