INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Fortinet Releases Emergency Patch After FortiClient EMS Exploit
| 2026-04-07 09:26 CRITICAL HIGHExecutive Summary AI-generated
The threat actors are targeting organizations with endpoint management infrastructure, exploiting vulnerabilities in FortiClient EMS and other software to push malicious updates and launch attacks into cloud systems. The most recent incidents include a critical improper access control vulnerability (CVE-2026-35616) and an SQL injection flaw (CVE-2026-21643). Customers have been urged to upgrade or disconnect the administrative web interface from the internet, while Fortinet has issued emergency patches for affected products.
Technical Mitigations AI-generated
* Implement a secure patching strategy, such as applying hotfixes or patches for FortiClient EMS products immediately after the vulnerability is discovered.
* Monitor endpoint management infrastructure and database logs for signs of unauthorized access or malicious activity, and take swift action to contain and remediate any issues.
* Regularly update software and firmware to ensure that all systems are running with the latest security patches and updates.
* Implement a robust incident response plan, including procedures for containing and remediating zero-day attacks, and provide training to employees on how to respond in such situations.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-21643CVE-2026-21643
CVE-2026-35616CVE-2026-35616
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
2026/03/31
The FortiClient EMS platform was exploited to discover a second critical vulnerability.
Click on any entity below to view its context and source!
organisation
the FortiClient EMS
Second Critical Flaw in a Week
Defused also discovered another critical vulnerability in the FortiClient EMS platform last week, also being exploited in the wild.
2026/04/07
Fortinet released an emergency patch for a critical FortiClient EMS vulnerability, CVE-2026-35616.
Click on any entity below to view its context and source!
infrastructure
9.1
This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild.
organisation
Fortinet
This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild.
organisation
FortiClient EMS
This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild.
organisation
SQL
CVE-2026-21643
is an SQL injection flaw with a CVSS score of 9.8 which could allow unauthenticated attackers to execute unauthorized code via specifically crafted HTTP requests.
organisation
CVSS
CVE-2026-21643
is an SQL injection flaw with a CVSS score of 9.8 which could allow unauthenticated attackers to execute unauthorized code via specifically crafted HTTP requests.
infrastructure
7.4.5
For that specific vulnerability, customers were urged to upgrade to
version 7.4.5
or later, or at least disconnect the administrative web interface from the internet.
organisation
FortiClient Enterprise Management
Fortinet customers have been urged to update their FortiClient Enterprise Management Server (EMS) products after the vendor was forced to issue an emergency patch over the weekend.
organisation
EMS
Fortinet customers have been urged to update their FortiClient Enterprise Management Server (EMS) products after the vendor was forced to issue an emergency patch over the weekend.
organisation
FortiClient EMS 7.4.5
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the vendor
said
.
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”
Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes.
organisation
API
“The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests,” Defused said in a social media post.
The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.
organisation
Endpoint
Endpoint management solutions are a popular target for threat actors given the access they provide to company device fleets.
infrastructure
7.4.7
A permanent fix will also be included in version 7.4.7.
organisation
Defused
Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.
April 9, 2026
Fortinet released an emergency patch for its FortiClient EMS software after the vulnerability was exploited by threat actors.
Tactical Metrics
Metrics
infrastructure
7.4.5
Software Version
Click for context!
For that specific vulnerability, customers were urged to upgrade to
version 7.4.5
or later, or at least disconnect the administrative web interface from the internet.
Metrics
infrastructure
9.1
Software Version
This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild.
Metrics
infrastructure
7.4.7
Software Version
A permanent fix will also be included in version 7.4.7.
Intelligence Sources
Infosecurity-Magazine
2026-04-07
Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited
Infosecurity-Magazine
Security Affairs
2026-04-07
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T12:09
Comprehensive Tactical Telemetry
Highly Correlated Entities
11x
organisation
Identified Entity
the FortiClient EMS
entity
6x
attribution
Attributing Entity
SecurityAffairs
authority
5x
timeline
Temporal Reference
2026/03/31
date
3x
tactic
Cyber Operation Type
Espionage
tactic
3x
infrastructure
Software Version
7.4.5
version
2x
vulnerability
Exploited CVE
CVE-2026-35616
cve
2x
vulnerability
CVSS Score
9
score
2x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
Contextual Telemetry
Context Block
2 METRICS
general metric
Errors
500
errors
target region
Target Country
United States
country
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.