Fortinet Urges Emergency Action on Exploited FortiClient EMS Zero-Day
Fortinet has issued an urgent warning to customers after confirming that a critical zero-day vulnerability in FortiClient Endpoint Management Server is being actively exploited in the wild. The flaw, tracked as CVE-2026-35616, is described as an improper access control vulnerability that could allow an unauthenticated attacker to execute unauthorized code or commands through crafted requests.
The company said the vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, and has urged customers to apply its emergency hotfix immediately. Fortinet has also said the issue will be addressed in the forthcoming 7.4.7 release, but stressed that the hotfix already made available is sufficient to prevent exploitation.
Security databases have assigned the flaw a CVSS severity score of 9.1 out of 10, reflecting the seriousness of the risk. The rating is driven by the fact that the attack can be carried out over a network, requires no privileges, involves low attack complexity, and can have severe impact on confidentiality, integrity and availability.
Fortinet credited security researchers at Defused with discovering and responsibly disclosing the issue. Public reporting and vendor guidance indicate the bug functions as a pre-authentication API access bypass, meaning attackers may be able to sidestep authentication and authorization controls entirely before executing malicious commands.
The urgency of the situation has increased further because US authorities have now added CVE-2026-35616 to CISA’s Known Exploited Vulnerabilities catalog, signalling that the flaw is not merely theoretical but already being used by attackers. That inclusion places additional pressure on exposed organisations to patch without delay.
For enterprise defenders, the message is clear. Any organisation running affected FortiClient EMS versions should assess exposure immediately and apply Fortinet’s hotfix as a priority. With exploitation already underway and no authentication required to trigger the flaw, this is the kind of vulnerability that can rapidly become a major incident if left unaddressed.
Photo Credit: DepositPhotos.com