Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited
There's a serious security hole in Fortinet's software that hackers are using to break in without permission. Fortinet has released fixes, and it's really important for users to update their software right away to stay safe.
A critical zero-day vulnerability in FortiClient EMS is actively exploited. Fortinet has released emergency patches and urges immediate action from users.
The Flaw
Fortinet has confirmed a critical zero-day vulnerability in FortiClient EMS, tracked as CVE-2026-35616, with a CVSSv3 score of 9.1. This vulnerability allows unauthenticated attackers to bypass API authentication and authorization controls, enabling them to execute arbitrary code or commands on vulnerable systems. Classified under CWE-284 (Improper Access Control), the flaw resides in the API layer of FortiClient Endpoint Management Server (EMS). Notably, the vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation.
What's at Risk
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, while version 7.2.x remains unaffected. Successful exploitation can lead to privilege escalation, compromising the confidentiality, integrity, and availability of the affected systems. Exploitation attempts were first recorded against honeypots on March 31, 2026, indicating a rapid escalation in threat activity leading up to the public disclosure. Security experts have raised concerns that the timing of the exploitation coincides with holiday weekends, a tactic often employed by attackers to take advantage of reduced security team availability.
Patch Status
Fortinet has released emergency hotfixes for both affected versions on April 4, 2026. The upcoming FortiClient EMS version 7.4.7 is expected to include a permanent fix. Users are strongly urged to apply these hotfixes immediately to mitigate the risk of exploitation. Fortinet has observed that the vulnerability is being actively exploited in the wild, further emphasizing the urgency for users to update their systems.
Immediate Actions
Organizations running vulnerable versions of FortiClient EMS should prioritize the application of the emergency hotfixes. Detailed installation instructions can be found in the official FortiClient EMS release notes. Additionally, it is recommended to monitor EMS logs for any anomalous API activity, especially unauthenticated requests that may indicate prior exploitation attempts. Restricting external access to the EMS management interface can also provide an additional layer of defense while patching is completed. Given the critical nature of this vulnerability, organizations should treat this as an emergency response situation.
Context and Implications
The development comes shortly after another critical vulnerability in FortiClient EMS (CVE-2026-21643) was reported, raising concerns about the security posture of the FortiClient product line. The rapid succession of these vulnerabilities suggests a potentially systemic issue that organizations must address with urgency. Security experts have noted that the exploitation of CVE-2026-35616 may not be isolated, as it remains unclear whether the same threat actor is behind both vulnerabilities, leading to speculation about coordinated attacks against Fortinet products. This incident underscores the need for organizations to remain vigilant and proactive in their cybersecurity measures.