INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Fortinet Patches Actively Exploited CVE-2026-35616 in EMS

| 2026-04-05 18:45 CRITICAL HIGH
JSON
Executive Summary AI-generated
The newly discovered vulnerability in FortiClient EMS has exposed over 2,000 compromised systems online. This critical flaw allows unauthenticated attackers to execute code or commands via specially crafted requests, compromising the security of affected users and organizations worldwide. The issue is particularly concerning as it follows a separate previously reported vulnerability (CVE-2026-21643) that was also actively exploited in attacks. Fortinet has released an emergency patch for this new flaw, urging customers to apply the hotfix immediately or upgrade to version 7.4.7 when available.
Technical Mitigations AI-generated
* Implement a secure patching strategy, such as: + Upgrading to the latest FortiClient EMS version (7.4.6 or later) immediately + Applying hotfixes for CVE-2026-35616 and CVE-2026-21643 in a timely manner + Conducting automated pentesting and vulnerability scanning to identify potential weaknesses * Use secure coding practices, such as: + Ensuring API access is properly authenticated before executing requests + Implementing rate limiting and IP blocking for suspicious traffic patterns + Regularly updating dependencies and libraries to prevent known vulnerabilities * Monitor FortiClient EMS logs and network traffic for signs of exploitation, such as: + Identifying unusual login attempts or API calls + Detecting changes in system configuration or user activity + Monitoring for potential privilege escalation attacks Note: These are general recommendations and may not be applicable to specific use cases. It's essential to consult with security experts and conduct thorough risk assessments before implementing any mitigation strategies.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-21643CVE-2026-21643 CVE-2026-35616CVE-2026-35616
Target & Sectors
DACH DACH
Incident Timeline
‎2026/03/29
The vulnerability CVE-2026-21643 was exploited in attacks against FortiClient EMS on March 29, 2026.
vulnerability CVE-2026-21643
The vulnerability follows a separate critical FortiClient EMS flaw, CVE-2026-21643 , reported last week and also actively exploited in attacks.
‎March 31, 2026
Threat actors exploited a newly discovered vulnerability in the FortiClient EMS software.
‎March 31
Threat actors exploited CVE-2026-35616 in attacks targeting FortiClient EMS on March 31.
vulnerability CVE-2026-35616
According to watchTowr, exploitation attempts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026.
‎Apr 05, 2026
Threat actors exploited a newly discovered vulnerability in the FortiClient EMS software.
‎2026/04/05
Fortinet released an emergency patch for a critical security flaw in its FortiClient EMS software that allows attackers to bypass authentication and authorization controls.
organisation API
The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation.
The flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely.
organisation FortiClient EMS
Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS.
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
organisation Defused
The flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely.
organisation CVSS
The development comes merely days after another recently-patched, critical vulnerability in FortiClient EMS ( CVE-2026-21643 , CVSS score: 9.1) came under active exploitation.
infrastructure 7.4.5
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
The issue affects FortiClient EMS versions 7.4.5 through 7.4.6.
infrastructure 7.4.6
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
The issue affects FortiClient EMS versions 7.4.5 through 7.4.6.
infrastructure 7.4.7
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
It's expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it.
Fortinet is urging customers to apply the hotfixes immediately or upgrade to version 7.4.7 when it becomes available to mitigate the risk of compromise.
organisation Fortinet
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
organisation Vulnerability / API Security
 Ravie Lakshmanan  Apr 05, 2026 Vulnerability / API Security Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild.
organisation The Hacker News
"The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental," watchTowr CEO and founder Benjamin Harris told The Hacker News.
organisation Shadowserver
Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany.
infrastructure 2,000 Shadowserver
Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany.
organisation New FortiClient EMS
New FortiClient EMS flaw exploited in attacks, emergency patch released.
organisation FortiClient Enterprise Management
Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks.
organisation EMS
Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks.
organisation FortiClient EMS 7.4.5
"Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6," warns Fortinet .
organisation FortiClient EMS 7.2
FortiClient EMS 7.2 is not affected.
victims 7.2 FortiClient EMS
FortiClient EMS 7.2 is not affected.
Tactical Metrics
Metrics
infrastructure
‎7.4.5
Software Version
The issue affects FortiClient EMS versions 7.4.5 through 7.4.6.
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
Metrics
infrastructure
‎7.4.6
Software Version
The issue affects FortiClient EMS versions 7.4.5 through 7.4.6.
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
Metrics
infrastructure
‎7.4.7
Software Version
It's expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it.
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes: The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7.
Fortinet is urging customers to apply the hotfixes immediately or upgrade to version 7.4.7 when it becomes available to mitigate the risk of compromise.
Metrics
infrastructure
2,000
Shadowserver
Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany.
Metrics
victims
7
Forticlient Ems
FortiClient EMS 7.2 is not affected.
Intelligence Sources
The Hacker News 2026-04-05
BleepingComputer 2026-04-05