Fortinet has launched out-of-band patches for a important security flaw impacting FortiClient EMS that it stated has been exploited within the wild.
The vulnerability, tracked as CVE-2026-35616 (CVSS rating: 9.1), has been described as a pre-authentication API entry bypass resulting in privilege escalation.
“An improper entry management vulnerability [CWE-284] in FortiClient EMS might permit an unauthenticated attacker to execute unauthorized code or instructions through crafted requests,” Fortinet stated in a Saturday advisory.
The problem impacts FortiClient EMS variations 7.4.5 by way of 7.4.6. It is anticipated to be totally patched within the upcoming model 7.4.7, though the corporate has launched a hotfix to handle it.
Simo Kohonen from Defused Cyber and Nguyen Duc Anh have been credited with discovering and reporting the flaw. In a publish on X, Defused Cyber stated it noticed zero-day exploitation of CVE-2026-35616 earlier this week. Based on watchTowr, exploitation makes an attempt in opposition to CVE-2026-35616 had been first recorded in opposition to its honeypots on March 31, 2026.
Profitable exploitation of the flaw might permit an unauthenticated attacker to sidestep API authentication and authorization protections, and execute malicious code or instructions through crafted requests.
“Fortinet has noticed this to be exploited within the wild and urges weak prospects to put in the hotfix for FortiClient EMS 7.4.5 and seven.4.6,” the corporate added.
The improvement comes merely days after one other recently-patched, important vulnerability in FortiClient EMS (CVE-2026-21643, CVSS rating: 9.1) got here below energetic exploitation. It is at the moment not recognized if the identical risk actor is behind the exploitation of each the issues, and if they’re being weaponized collectively.
Given the severity of the vulnerabilities, customers are suggested to replace their FortiClient EMS to the newest model as quickly as potential.
“The timing of the ramp-up of in-the-wild exploitation of this zero-day is probably going not coincidental,” watchTowr CEO and founder Benjamin Harris advised The Hacker Information.
“Attackers have proven repeatedly that vacation weekends are the perfect time to maneuver. Safety groups are at half power, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like some other vacation, represents alternative.”
“What’s disappointing is the larger image. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks.”
“So, as soon as once more, organizations working FortiClient EMS and uncovered to the Web ought to deal with this as an emergency response state of affairs, not one thing to choose up on Tuesday morning. Apply the hotfix. Attackers have already got a head begin.”
