Fortinet has issued an urgent security patch after discovering a critical zero-day vulnerability in its FortiClient Endpoint Management Server (EMS), which is already being exploited in the wild.
The flaw, tracked as CVE-2026-35616, has been rated 9.1 on the CVSS scale. It is described as an improper access control issue that allows unauthenticated attackers to execute code or commands through specially crafted requests.
In its advisory, Fortinet confirmed active exploitation and urged customers to immediately apply the hotfix for FortiClient EMS versions 7.4.5 and 7.4.6. The company added, “Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely.”
The vulnerability was discovered and reported by Simo Kohonen, CEO of cybersecurity firm Defused, and researcher Nguyen Duc Anh. According to Kohonen, the current exploitation appears limited and linked to a single exploit, with no widespread activity detected so far.
The issue has been described as a “pre-authentication API access bypass,” allowing attackers to bypass authorization controls completely. It was identified using Defused’s upcoming “Radar” tool, designed to detect anomalies from large-scale honeypot data.
This vulnerability follows another recent FortiClient EMS flaw, CVE-2026-21643, a critical SQL injection issue that was disclosed and patched earlier. Kohonen noted, “We haven’t seen the zero-day being exploited by anyone else except the original exploit so far (which is good news, as I bet many haven’t patched yet due to weekend/holidays).”
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been directed to patch or mitigate the issue by April 9.
Security researchers have also identified a public proof-of-concept (PoC) exploit on GitHub, though it remains unverified. Experts warn that exploitation could increase as more exploit code becomes available.
Fortinet products have been frequent targets for threat actors. In recent months, multiple critical vulnerabilities across FortiCloud, FortiSIEM, FortiOS, and FortiWeb have been exploited, highlighting the urgency for timely patching.
Separately, researchers have also observed attackers using AI-driven techniques to compromise FortiGate devices by exploiting weak credentials and exposed systems.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
