CP
cyberpings
VulnerabilitiesCRITICAL

Critical Flaw in FortiClient EMS Under Exploitation, Emergency Patch Released

#FortiClient#Fortinet#zero-day#CVE-2026-35616#vulnerability#cybersecurity

Original Reporting

CSCybersecurity Dive·David Jones

AI Intelligence Briefing

CyberPings AI·Reviewed by Rohit Rana
Severity LevelCRITICAL

Active exploitation or massive impact — immediate action required

🛡️
🛡️ VULNERABILITY DETAILS
CVE ID
CVSS Score
Severity RatingCritical
Affected ProductFortiClient EMS
VendorFortinet
Vulnerability Type
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Actively ExploitedYes
Patch AvailableYes
Workaround Available
🎯

Fortinet found a serious problem in its software that hackers are already using to break in. They quickly made a fix, and everyone using that software needs to update it right away to stay safe.

Quick Summary

Fortinet has confirmed a critical vulnerability in FortiClient EMS is being actively exploited. An emergency patch has been released to address this zero-day flaw, tracked as CVE-2026-35616.

The Flaw

Fortinet has identified a critical vulnerability in its FortiClient EMS (Endpoint Management Server), tracked as CVE-2026-35616. This flaw, which has been labeled a zero-day, allows unauthorized access through improper access controls, enabling unauthenticated attackers to execute unauthorized code or commands via crafted requests. It has been reported that this vulnerability has been under active exploitation since at least March 31.

What's at Risk

The vulnerability poses severe risks for organizations using FortiClient EMS, which is widely utilized for managing and securing both remote and office computers. Given Fortinet's extensive user base across various sectors, the potential impact could be significant. Notably, this is the second critical flaw in FortiClient to be exploited in recent weeks, following another vulnerability that also allowed for unauthenticated remote code execution.

Patch Status

In response to the discovery, Fortinet has released an emergency hotfix for FortiClient EMS versions 7.4.5 and 7.4.6. Users are strongly advised to apply this patch immediately to mitigate the risk of exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and has set a deadline for federal agencies to apply the patch.

Immediate Actions

Organizations using FortiClient EMS should:

  • Apply the emergency hotfix as soon as possible.
  • Monitor systems for any unusual activity that may indicate exploitation.
  • Review security policies to ensure they are robust against unauthorized access.

Security experts have noted that the initial exploitation behavior was characterized as "low and slow," but this quickly escalated as attackers began to leverage the zero-day more opportunistically. As always, the best time to apply the hotfix was yesterday, and the second best time is right now. This situation underscores the importance of maintaining up-to-date security measures and being vigilant against potential threats.

🔍 How to Check If You're Affected

  1. 1.Monitor for unusual system behavior.
  2. 2.Check logs for unauthorized access attempts.
  3. 3.Ensure the latest patch is applied to FortiClient EMS.

🏢 Impacted Sectors

Information TechnologyFinanceHealthcareGovernment

Pro Insight

The rapid escalation of exploitation tactics following the discovery of this zero-day highlights the urgent need for organizations to prioritize patch management and proactive security measures.

🗓️ Story Timeline

Story broke by Cybersecurity Dive
Covered by The Register Security

Sources

Original Report

CSCybersecurity Dive· David Jones
Read Original

Also covered by

THThe Register Security

Attackers exploited this critical FortiClient EMS bug as a 0-day

Read

Share Insight

Related Pings

HIGHVulnerabilities

GPUBreach - New Attack Enables System-Wide Compromise

A new vulnerability called GPUBreach allows attackers to gain root access through GPU memory manipulation. This poses serious risks to various computing environments, including AI workloads. Organizations are urged to monitor and patch systems promptly.

Cyber Security News·
HIGHVulnerabilities

Claude Code Leak and Axios NPM Compromise - AppSec Insights

The Claude Code leak and Axios NPM compromise reveal ongoing security challenges in app development. These incidents highlight vulnerabilities that can affect many developers and users. It's crucial to address these issues to protect sensitive data and maintain trust.

SC Media·
HIGHVulnerabilities

Android Zero-Interaction Vulnerability - Critical DoS Risk

Google's latest security bulletin reveals a critical vulnerability in Android. This flaw allows attackers to crash devices without user interaction. Users should update their devices immediately to stay protected.

Cyber Security News·
HIGHVulnerabilities

WhatsApp TEE Security Audit Reveals Critical Vulnerabilities

WhatsApp's new Private Inference feature faced vulnerabilities that could compromise user privacy. Meta has patched these issues, but the audit reveals critical lessons for TEE security.

Trail of Bits Blog·
CRITICALVulnerabilities

Flowise AI - Critical RCE Vulnerability Under Active Exploitation

A critical CVSS 10.0 vulnerability in Flowise is being actively exploited, exposing over 15,000 instances to remote code execution risks. Immediate action is required.

The Hacker News·
MEDIUMVulnerabilities

CWE Weakness Patterns - The Case for Systematic Fixes

Alec Summers discusses the importance of fixing CWE weakness patterns instead of just patching bugs. This proactive approach can reduce recurring work for security teams and improve vulnerability management.

Help Net Security·