Fortinet Issues Emergency Patch for Critical FortiClient Bug
Active exploitation or massive impact β immediate action required
Basically, Fortinet fixed a serious flaw in their software that hackers were using to break in.
Fortinet released an emergency patch for a critical vulnerability in FortiClient EMS. This flaw is actively exploited, affecting many organizations. Immediate updates are crucial to safeguard against potential attacks.
What Happened
Fortinet has issued an emergency patch for its FortiClient Enterprise Management Server (EMS) after a critical vulnerability was exploited in the wild. This flaw, identified as CVE-2026-35616, has a CVSS score of 9.1, indicating its severity. It allows unauthenticated attackers to execute unauthorized code through crafted requests, posing a significant risk to users.
Who's Affected
Organizations using FortiClient EMS versions 7.4.5 and 7.4.6 are particularly at risk. Fortinet has urged these customers to apply the hotfix immediately to prevent exploitation. The upcoming version 7.4.7 will also address this vulnerability.
What Data Was Exposed
The vulnerability permits attackers to bypass API authentication and authorization entirely. If exploited, it could lead to unauthorized access and control over the endpoint management infrastructure, enabling further attacks such as ransomware deployment or data breaches.
What You Should Do
Customers should:
- Update FortiClient EMS to version 7.4.5 or later.
- Monitor for indicators of compromise (IoCs) such as HTTP 500 errors on the
/api/v1/init_constsendpoint and unusual database error messages in PostgreSQL logs. - Disconnect the administrative web interface from the internet if immediate patching is not possible.
Additional Context
This is the second critical flaw discovered in FortiClient EMS within a week. The earlier vulnerability, CVE-2026-21643, is an SQL injection flaw with a CVSS score of 9.8, which also allows unauthorized code execution through crafted HTTP requests. Such vulnerabilities highlight the increasing targeting of endpoint management solutions by threat actors, who can leverage these weaknesses to launch more extensive attacks on organizational infrastructure.
Fortinet's proactive response in releasing patches reflects the urgency of addressing these critical vulnerabilities. Organizations must remain vigilant and ensure their systems are updated to mitigate the risks associated with these exploits.
π How to Check If You're Affected
- 1.Check for HTTP 500 errors on the /api/v1/init_consts endpoint.
- 2.Review PostgreSQL logs for unusual database error messages.
- 3.Look for unauthorized remote monitoring and management tools.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: The rapid exploitation of CVE-2026-35616 indicates a growing trend of targeting endpoint management systems, necessitating immediate patching and monitoring.