Fortinet has issued urgent out-of-band patches for a critical security flaw in FortiClient EMS, identified as CVE-2026-35616. This vulnerability, which carries a CVSS score of 9.1, allows unauthenticated attackers to bypass API access controls and achieve privilege escalation. The flaw is currently being exploited in the wild as a zero-day, potentially leading to unauthorized code execution through specially crafted requests.
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, with CISA recently adding it to the Known Exploited Vulnerabilities catalog. Security researchers have observed exploitation attempts coinciding with holiday weekends, emphasizing the need for immediate remediation. Organizations are strongly advised to apply the available hotfixes and upgrade to version 7.4.7 to mitigate the risk of compromise.
Top comments (0)