Fortinet has issued urgent out-of-band patches to address a critical zero-day vulnerability in FortiClient EMS, tracked as CVE-2026-35616. This flaw, which carries a CVSS score of 9.1, is a pre-authentication API access bypass that allows unauthenticated attackers to execute unauthorized code or commands through specifically crafted requests. The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, and Fortinet has confirmed that exploitation has already been observed in the wild.
Security researchers noted that exploitation attempts began as early as late March 2026, often coinciding with holiday weekends when security teams may be at lower capacity. This incident follows closely on the heels of another recently patched critical vulnerability in the same product. Organizations utilizing FortiClient EMS are strongly urged to apply the available hotfixes immediately to mitigate the risk of compromise, as attackers are actively weaponizing the flaw.
Top comments (0)