Fortinet has issued emergency patches for CVE-2026-35616, a critical pre-authentication API access bypass vulnerability in FortiClient EMS. With a CVSS score of 9.1, this flaw allows unauthenticated attackers to execute unauthorized commands or code via crafted requests, posing a significant risk to organizational infrastructure.
The vulnerability has been confirmed to be exploited in the wild, with reports indicating zero-day activity coinciding with holiday weekends to maximize impact. This follows closely on the heels of another critical EMS vulnerability (CVE-2026-21643), leading security experts to urge immediate application of hotfixes for versions 7.4.5 and 7.4.6.
Top comments (0)