Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Critical flaw in FortiClient EMS under exploitation

Fortinet released an emergency hotfix after security researchers discovered the vulnerability being exploited as a zero-day.

Published April 6, 2026 Updated an hour ago
David Jones's headshot
Reporter
A building with large glass windows bears the Fortinet logo at the top, while a sign at ground level reads "Fortinet - 909 Kifer Road"
Fortinet's headquarters in Sunnyvale, Calif. The company has released a hotfix for a critical vulnerabiilty in FortiClient EMS. Courtesy of Fortinet

Fortinet on Saturday warned that a critical zero-day vulnerability in its FortiClient Endpoint Management Server platform is under active exploitation. 

The improper access control vulnerability, tracked as CVE-2026-35616, allows an unauthenticated attacker to execute unauthorized code or commands by using specially crafted requests.

Fortinet urged customers to immediately install an emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6. in an advisory issued Saturday. The upcoming FortiClient EMS 7.4.7 release will include a patched version, but in the meantime, the emergency hotfixes should solve the problem, according to the company. 

The company did not specify how long it would take for the 7.4.7 version to be released. 

Researchers at the vulnerability research firm Defused reported the issue to Fortinet after detecting in-the-wild exploitation activity through its honeypots last week, according to a post on LinkedIn.

“This vulnerability allows attackers to bypass authentication by spoofing a specific access header and, through this, getting access to the back end,” Defused founder and CEO Simo Kohonen told Cybersecurity Dive.

Fortinet acknowledged the vulnerability on Friday and released the advisory on Saturday, Kohonen said. Fortinet also thanked researcher Nguyen Duc Anh for additional work to disclose the flaw. 

Shadowserver Foundation on Sunday warned that CVE-2026-35616, as well as CVE-2026-21643, an improper neutralization of special elements flaw in FortiClient EMS 7.4.4, are both being exploited in the wild

The Cybersecurity and Infrastructure Security Agency on Monday added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog.

Researchers at watchTowr warned the rapid succession of security flaws, combined with the Easter holiday weekend, could make mitigation of the ForiClient vulnerabilities more challenging. 

“This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks,” watchTowr CEO Benjamin Harris told Cybersecurity Dive. “So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning.”

CVE-2026-21643 was originally disclosed in February by Fortinet’s product security team. Defused on March 28 said it had detected that the vulnerability was under active exploitation since March 24.

Editor’s note: Updates with new information from CISA.

Shadowserver is tracking about 2,000 exposed instances of FortiClient EMS across the globe, with the U.S. and Germany the leading countries visible.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Zapier Pledges Free AI Education for 1 Million People
From Zapier
March 17, 2026
Zapier logo
2026 Resilience Risk Index Reveals that Endpoint Security Software Fails More Than 20 Percent …
From Absolute Security
March 24, 2026
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell