Critical Zero‑Day in FortiClient EMS (CVE‑2026‑35616) Actively Exploited – Emergency Patch Issued
What Happened — Fortinet disclosed a critical pre‑authentication access‑control flaw (CVE‑2026‑35616) in FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6 that allows unauthenticated attackers to execute arbitrary code via crafted API requests. The vulnerability is being exploited in the wild, prompting an emergency hot‑fix release on April 5 2026.
Why It Matters for TPRM —
- A zero‑day in a widely‑deployed endpoint‑security platform can be leveraged to compromise downstream client environments.
- Active exploitation indicates threat actors are already targeting vulnerable third‑party assets, raising immediate risk to your organization’s network perimeter.
- Failure to patch quickly may lead to lateral movement, data exfiltration, or service disruption across multiple business units.
Who Is Affected — Enterprises that use FortiClient EMS for endpoint management, spanning sectors such as finance, healthcare, retail, manufacturing, and government.
Recommended Actions —
- Verify whether any FortiClient EMS instances are running versions 7.4.5 or 7.4.6.
- Deploy the emergency hot‑fixes for the affected versions immediately; plan upgrade to 7.4.7 as soon as it is available.
- Conduct a rapid inventory of exposed EMS instances (Shadowserver reports >2,000 globally) and isolate any that cannot be patched.
- Review logging and monitoring for anomalous API activity that may indicate exploitation attempts.
Technical Notes — The flaw is an improper access‑control (pre‑auth API bypass) that enables unauthenticated command execution. It is classified as a critical zero‑day (CVE‑2026‑35616) and follows a prior FortiClient EMS vulnerability (CVE‑2026‑21643). No public data breach has been confirmed, but the attack surface includes remote code execution and potential credential theft. Source: BleepingComputer