Security & Infrastructure Tools
New FortiClient EMS flaw exploited in attacks, emergency patch released
Fortinet has issued an emergency patch for a critical FortiClient Enterprise Management Server (EMS) flaw (CVE‑2026‑35616) that is actively being exploited in the wild, allowing unauthenticated attackers to execute arbitrary code via crafted requests. The vulnerability affects EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing the provided hotfixes or upgrading to version 7.4.7; FortiClient EMS 7.2 is not impacted. The flaw was discovered by Defused Cyber, who also reported a related earlier exploit (CVE‑2026‑21643). Fortinet urges all affected customers to apply the fix immediately to prevent compromise.
New FortiClient EMS Flaw Exploited in Attacks, Emergency Patch Released
A newly disclosed flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) is being actively exploited in real-world attacks, triggering an emergency security update over the weekend. The issue, tracked as CVE-2026-35616, is described as an improper access control vulnerability that allows unauthenticated attackers to run code or commands by sending specially crafted requests to the affected system.
Fortinet confirmed that the vulnerability has been observed being exploited in the wild and urged customers with vulnerable deployments to apply the hotfixes without delay. The compromised products are FortiClient EMS versions 7.4.5 and 7.4.6, and the recommended remediation is to install the corresponding hotfixes or to upgrade to a fixed release. Specifically, users should apply the 7.4.5 hotfix for FortiClientEMS 7.4.5 or the 7.4.6 hotfix for FortiClientEMS 7.4.6, with Fortinet signaling that the vulnerability will also be addressed in an upcoming FortiClient EMS version 7.4.7. It’s noted that FortiClient EMS 7.2 remains unaffected.
The flaw was identified by the cybersecurity firm Defused, which described it as a pre-authentication API access bypass that enables attackers to circumvent authentication and authorization controls entirely. Defused disclosed that they observed exploit activity as a zero-day earlier in the week before notifying Fortinet under responsible disclosure. In parallel, internet watchdog Shadowserver reported more than 2,000 exposed FortiClient EMS instances accessible online, with the majority located in the United States and Germany, highlighting the scale of potential exposure.
This vulnerability follows another critical FortiClient EMS weakness, CVE-2026-21643, which was also reported to be actively exploited in attacks. Both flaws were uncovered by Defused, with Fortinet crediting Nguyen Duc Anh for the latest disclosure. Fortinet’s guidance remains clear: apply the hotfixes immediately or upgrade to version 7.4.7 as soon as it becomes available to mitigate the risk of compromise.
Administrators should prioritize FortiClient EMS systems in exposed environments and verify that necessary patches are in place. The rapid pace of exploitation underscores the need for rapid response and vigilant monitoring of EMS endpoints, particularly those exposed to the internet. Fortinet has indicated that additional fixes will be rolled into the forthcoming 7.4.7 release, reinforcing the company’s push toward closing the vulnerability against ongoing attack campaigns. Until those updates arrive, the hotfixes provide the critical line of defense against unauthorized access and potential remote code execution exploiting this flaw.