Defused Cyber has spotted a critical Fortinet FortiClient Endpoint Management Server (EMS) zero-day vulnerability (CVE-2026-35616) being exploited in the wild.
This time around, the confirmation of active exploitation came almost immediately from Fortinet, as well.
“Fortinet has observed [CVE-2026-35616] to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company stated in a security advisory published on Saturday.
About CVE-2026-35616
On Monday, Defused Cyber warned about CVE-2026-21643, a critical SQL injection vulnerability in Fortinet FortiClient EMS, being leveraged by remote, unauthenticated attackers.
The exploitation of CVE-2026-21643 came months after Fortinet pushed out a fix for it and several weeks after Bishop Fox researchers shared their analysis of the vulnerability and practical exploitation paths.
CVE-2026-35616, on the other hand, is an improper access control vulnerability that allows for an API authentication and authorization bypass, and may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
CVE-2026-35616 affects FortiClientEMS versions 7.4.5 and 7.4.6, but not the 7.2 branch. According to Fortinet, the provided hotfixes are “sufficient to prevent it entirely.”
“Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue,” the company added. The security advisory does not mention whether the 8.0 branch is affected by this flaw.
It’s also unknown whether the two zero-days are being leveraged together.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
