Fortinet has issued an emergency hotfix after security researchers disclosed a critical zero-day vulnerability in FortiClient EMS that is already being actively exploited by threat actors.<\/p>\n
Tracked as CVE-2026-35616 and carrying a CVSSv3 score of 9.1 (Critical), the flaw enables unauthenticated attackers to bypass API authentication<\/a> and authorization controls entirely, allowing them to execute arbitrary code or commands on vulnerable systems.<\/p>\n The vulnerability, classified under CWE-284 (Improper Access Control), resides in the API layer of FortiClient Endpoint Management Server (EMS).<\/p>\n Successful exploitation does not require any prior authentication, user interaction, or elevated privileges, making it particularly dangerous for organizations with internet-exposed EMS deployments.<\/p>\n An unauthenticated remote attacker can send specially crafted API requests to bypass all authentication and authorization checks, effectively gaining full control over endpoint management operations.<\/p>\n The attack vector is network-based, the complexity is low, and the impact spans confidentiality, integrity, and availability conditions that directly account for its near-maximum CVSS rating.<\/p>\n Fortinet\u2019s advisory (FG-IR-26-099) lists<\/a> the vulnerability\u2019s primary impact as privilege e<\/span>scalation, with active in-the-wild exploitation confirmed by the vendor.<\/p>\n Only FortiClient EMS versions 7.4.5 and 7.4.6 are affected. FortiClient EMS 7.2. x is not affected and requires no action. The upcoming FortiClient EMS 7.4.7 will include a permanent fix, but Fortinet has made emergency hotfixes available immediately for both affected branches while that release is finalized.<\/p>\n The vulnerability was discovered by Simo Kohonen from threat intelligence firm Defused and independent researcher Nguyen Duc Anh.<\/p>\n Defused observed active in-the-wild exploitation of the flaw earlier this week before reporting it to Fortinet under responsible disclosure protocols. The discovery was made using Defused\u2019s upcoming Radar feature, set to launch next week, which is designed to surface novel exploitation activity in real time.<\/p>\n CVE-2026-35616 \u2013 FortiClient EMS pre-authentication API access bypass \u2013 CVSS 9.1 Critical<\/p>\n After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under\u2026 pic.twitter.com\/GUk5fCAx91<\/a><\/p>\n \u2014 Defused (@DefusedCyber) April 4, 2026<\/a>\n<\/p><\/blockquote>\nFortinet FortiClient EMS 0-Day<\/strong><\/h2>\n
\n
![\"\ud83d\udea8\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\")
New Fortinet vulnerability being exploited as an 0-day <\/p>\n