Fortinet over the weekend rushed emergency fixes for a FortiClient Enterprise Management Server (EMS) vulnerability that has been exploited as a zero-day.
Described as an improper access control issue, the critical-severity flaw is tracked as CVE-2026-35616 (CVSS score of 9.1) and could be exploited for remote code execution (RCE).
According to Fortinet’s advisory, remote attackers could send crafted requests to a vulnerable FortiClient EMS to trigger the bug. Successful exploitation does not require authentication, it says.
“Fortinet has observed this to be exploited in the wild,” the company warned.
On Saturday, Fortinet announced the availability of hotfixes to address the security defect in FortiClient EMS versions 7.4.5 and 7.4.6, noting that version 7.2 is not affected.
The company also published detailed instructions on how to download and apply the hotfixes for both FortiClient EMS 7.4.5 and 7.4.6, and on how to verify that the hotfixes have been applied.
“Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely,” Fortinet said.
The company credited “Defused” for finding and reporting the flaw. According to the cybersecurity firm, the vulnerability allows unauthenticated attackers to bypass API authentication and authorization.
“After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure,” the cybersecurity company said on Saturday.
Non-profit organization The Shadowserver Foundation says it has observed approximately 2,000 FortiClient EMS instances that are accessible from the internet.
These instances, it notes, are potentially exposed to attacks exploiting the new zero-day, as well as CVE-2026-21643, a recently patched SQL injection that has been exploited for over a week.
Related: TrueConf Zero-Day Exploited in Asian Government Attacks
Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign
Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome
Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks
