FortiClient EMS Zero-Day Vulnerability - Emergency Hotfixes Released

What Happened

A critical zero-day vulnerability has been discovered in Fortinet's FortiClient Endpoint Management Server (EMS), identified as CVE-2026-35616. This flaw allows attackers to bypass authentication and authorization controls, potentially enabling them to execute unauthorized commands. Fortinet confirmed that this vulnerability is currently being exploited in the wild, prompting an urgent response from the company.

The Flaw

CVE-2026-35616 is classified as an improper access control vulnerability. It allows unauthenticated attackers to send crafted requests that can lead to unauthorized code execution. This vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, while the 7.2 branch remains unaffected. The company has stated that the hotfixes provided are sufficient to mitigate the risk entirely.

Patch Status

Fortinet has released emergency hotfixes for the affected versions, urging all users to install these updates immediately. The upcoming FortiClient EMS version 7.4.7 will also include a fix for this issue. However, it remains unclear whether the 8.0 branch is impacted or if this zero-day is being exploited in conjunction with other vulnerabilities.

Immediate Actions

If you are using FortiClient EMS, take the following steps:

• Update to the latest version: Ensure you have installed the hotfixes for versions 7.4.5 and 7.4.6.
• Monitor your systems: Watch for any unusual activity that may indicate exploitation.
• Stay informed: Keep an eye on Fortinet’s advisories for any further updates regarding this vulnerability.

Conclusion

The discovery of CVE-2026-35616 highlights the ongoing challenges in cybersecurity, particularly regarding zero-day vulnerabilities. Organizations using FortiClient EMS must act swiftly to protect their systems from potential exploitation. Fortinet's prompt response in issuing hotfixes demonstrates the importance of timely communication and action in the face of emerging threats.