Zero‑Day in FortiClient Endpoint Management Server (CVE‑2026‑35616) Actively Exploited, Threatening Enterprise Endpoint Security
What Happened — Fortinet disclosed a critical zero‑day vulnerability (CVE‑2026‑35616) in its FortiClient Endpoint Management Server (EMS) that allows unauthenticated attackers to bypass authentication and execute arbitrary code. The flaw is already being weaponised in the wild, prompting an emergency hot‑fix for EMS 7.4.5/7.4.6.
Why It Matters for TPRM —
- The vulnerability resides in a core security‑fabric component that many third‑party vendors embed in their products.
- Active exploitation means compromised EMS servers can become launch pads for lateral movement across a supply‑chain.
- Unpatched EMS instances have been observed globally (≈2,000 exposed hosts), increasing the risk of data loss or service disruption for downstream customers.
Who Is Affected —
- Enterprises across all sectors that rely on FortiClient EMS for endpoint protection, VPN, and Zero‑Trust network access.
- Managed Service Providers (MSPs) and MSSPs that deploy FortiClient on behalf of clients.
Recommended Actions —
- Verify that all FortiClient EMS installations are running version 7.4.5/7.4.6 or have applied the emergency hot‑fix.
- Conduct an inventory of exposed EMS servers (internet‑facing IPs, mis‑configurations).
- Accelerate patching of the related CVE‑2026‑21643 (also actively exploited).
- Review third‑party contracts for security‑fabric dependencies and enforce timely remediation clauses.
Technical Notes — The zero‑day (CVE‑2026‑35616) is a remote code execution flaw triggered by crafted HTTP requests, bypassing authentication and authorization. It co‑exists with a high‑severity SQL‑injection/remote‑code flaw (CVE‑2026‑21643, CVSS 9.1). Both are being exploited in the wild; threat intel from Defused and Shadowserver confirms active probing and exploitation. Source: DataBreachToday