Fortinet has released urgent security updates to fix a critical vulnerability in FortiClient Endpoint Management Server (EMS) that is already being actively exploited by attackers. The flaw, identified as CVE-2026-35616, carries a high CVSS score of 9.1, making it a serious threat for organizations relying on Fortinet solutions for endpoint security and management.
CVE-2026-35616 is a critical security vulnerability caused by improper access control in FortiClient EMS. This flaw allows attackers to bypass authentication mechanisms through specially crafted API requests. In simple terms, a remote attacker does not need valid login credentials to exploit this vulnerability.
Once exploited, the attacker can execute unauthorized commands or run malicious code on the affected system. This type of attack is especially dangerous because it can lead to full system compromise, privilege escalation, and potential lateral movement across the network.
The vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6. While Fortinet plans to fully address the issue in version 7.4.7, it has already released an emergency hotfix to protect users from ongoing attacks.
Organizations using the affected versions are strongly advised to apply the hotfix immediately instead of waiting for the next full release. Delaying updates could leave systems exposed to active exploitation attempts.
Security researchers and threat intelligence teams have confirmed that CVE-2026-35616 is being actively exploited in real-world attacks. Reports indicate that exploitation attempts were first observed around March 31, 2026, using honeypot systems designed to detect malicious activity.
Experts believe attackers are taking advantage of this vulnerability to gain unauthorized access to enterprise environments. Since the flaw allows pre-authentication access, it significantly lowers the barrier for attackers, making it easier to compromise systems at scale.
The vulnerability enables attackers to bypass API authentication and authorization controls. By sending specially crafted requests to the FortiClient EMS server, attackers can trick the system into executing commands without verifying the user’s identity.
This can result in:
- Unauthorized code execution
- Full administrative access
- Data theft or manipulation
- Deployment of malware or ransomware
Because the attack does not require prior authentication, it can be launched remotely over the internet, making publicly exposed EMS servers especially vulnerable.
This incident comes shortly after another critical FortiClient EMS vulnerability, CVE-2026-21643 (also rated 9.1), was found to be under active exploitation. While it is not yet confirmed whether the same threat actors are behind both attacks, the timing raises concerns.
Security experts warn that attackers may combine multiple vulnerabilities to maximize their impact. This increases the urgency for organizations to patch all known issues without delay.
Cybersecurity experts highlight that attackers often launch campaigns during weekends and holidays. During these periods, security teams may be understaffed, and response times can be slower.
This creates a wider window for attackers to operate undetected. The recent exploitation activity aligns with this pattern, suggesting that threat actors are strategically timing their attacks to avoid quick detection and response.
Given the severity of the vulnerability and confirmed exploitation, organizations should treat this as a high-priority security incident. Here are the recommended actions:
1. Apply the Hotfix Immediately
Install the latest hotfix released by Fortinet for versions 7.4.5 and 7.4.6 without delay.
2. Upgrade to the Latest Version
Plan to upgrade to FortiClient EMS version 7.4.7 once it becomes available for complete protection.
3. Restrict Internet Exposure
If possible, limit or remove public access to FortiClient EMS servers to reduce the attack surface.
4. Monitor for Suspicious Activity
Check logs for unusual API requests, unauthorized access attempts, or unexpected command executions.
5. Conduct Threat Hunting
Perform proactive threat hunting to identify any signs of compromise within your network.
6. Strengthen Access Controls
Implement additional security measures such as network segmentation and zero-trust policies.
The discovery and active exploitation of CVE-2026-35616 highlight the growing risks associated with unpatched vulnerabilities in enterprise security systems. With attackers already taking advantage of this flaw, organizations cannot afford to delay their response.
This is not just a routine patching exercise—it should be treated as an emergency. Applying the hotfix, monitoring systems, and strengthening defenses are critical steps to prevent potential breaches.
Interesting Article : Critical Chrome Flaw CVE-2026-5281 Exploited in the Wild