New FortiClient EMS flaw exploited in assaults, emergency patch launched

Fortinet has launched an emergency weekend security replace for a brand new crucial FortiClient Enterprise Administration Server (EMS) vulnerability that’s actively exploited in assaults.

Tracked as CVE-2026-35616, the flaw is an improper entry management vulnerability that permits unauthenticated attackers to execute code or instructions by way of specifically crafted requests.

The problem was patched Saturday, with Fortinet confirming it has been exploited within the wild.

“Fortinet has noticed this to be exploited within the wild and urges weak prospects to put in the hotfix for FortiClient EMS 7.4.5 and seven.4.6,” warns Fortinet.

Fortinet says the vulnerability impacts FortiClient EMS variations 7.4.5 and seven.4.6 and will be mitigated by putting in one of many following hotfixes:

The vulnerability will even be fastened within the upcoming FortiClientEMS 7.4.7. FortiClient EMS 7.2 isn’t affected.

The flaw was found by cybersecurity agency Defused, which described it as a pre-authentication API entry bypass that permits attackers to bypass authentication and authorization controls solely.

Defused shared on X that they noticed the flaw being exploited as a zero-day earlier this week earlier than reporting it to Fortinet beneath accountable disclosure.

Web security watchdog Shadowserver has discovered over 2,000 uncovered FortiClient EMS cases on-line, with the bulk situated within the USA and Germany.

The vulnerability follows a separate crucial FortiClient EMS flaw, CVE-2026-21643, reported final week and in addition actively exploited in assaults.

Each vulnerabilities had been found by Defused, with Fortinet additionally crediting Nguyen Duc Anh for the most recent flaw.

Fortinet is urging prospects to use the hotfixes instantly or improve to model 7.4.7 when it turns into accessible to mitigate the danger of compromise.