Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited

The Flaw

Fortinet has confirmed a critical zero-day vulnerability in FortiClient EMS, tracked as CVE-2026-35616, with a CVSSv3 score of 9.1. This vulnerability allows unauthenticated attackers to bypass API authentication and authorization controls, enabling them to execute arbitrary code or commands on vulnerable systems. Classified under CWE-284 (Improper Access Control), the flaw resides in the API layer of FortiClient Endpoint Management Server (EMS). Notably, the vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation. The vulnerability was discovered by the cybersecurity firm Defused, which responsibly disclosed it to Fortinet after observing in-the-wild exploitation. Fortinet has confirmed that this flaw has been actively exploited since at least March 31, 2026.

What's at Risk

The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6, while version 7.2.x remains unaffected. Successful exploitation can lead to privilege escalation, compromising the confidentiality, integrity, and availability of the affected systems. Exploitation attempts were first recorded against honeypots on March 31, 2026, indicating a rapid escalation in threat activity leading up to the public disclosure. Security experts have raised concerns that the timing of the exploitation coincides with holiday weekends, a tactic often employed by attackers to take advantage of reduced security team availability. Additionally, the Shadowserver Foundation reports that over 2,000 FortiClient EMS instances are accessible from the internet, with the majority located in the USA and Germany, heightening the risk of attacks exploiting this vulnerability. Furthermore, Defused has reported that another vulnerability, CVE-2026-21643, was also being exploited in the wild as early as March 24, 2026, raising concerns about a coordinated attack strategy. The US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its KEV Catalog on April 6, 2026, setting a deadline for federal agencies to apply the patch.

Patch Status

Fortinet released emergency hotfixes for both affected versions on April 4, 2026. Users are strongly urged to apply these hotfixes immediately to mitigate the risk of exploitation. Fortinet has observed that the vulnerability is being actively exploited in the wild, further emphasizing the urgency for users to update their systems. Detailed instructions on how to download and apply the hotfixes, as well as how to verify that they have been applied, are available in Fortinet's advisory. Notably, Arctic Wolf has not identified a publicly available proof-of-concept exploit for CVE-2026-35616, which may indicate that attackers are still developing their methods for exploitation. The upcoming FortiClient EMS version 7.4.7 is expected to include a permanent fix.

Immediate Actions

Organizations running vulnerable versions of FortiClient EMS should prioritize the application of the emergency hotfixes. Detailed installation instructions can be found in the official FortiClient EMS release notes. Additionally, it is recommended to monitor EMS logs for any anomalous API activity, especially unauthenticated requests that may indicate prior exploitation attempts. Restricting external access to the EMS management interface can also provide an additional layer of defense while patching is completed. Given the critical nature of this vulnerability, organizations should treat this as an emergency response situation.

Context and Implications

The development comes shortly after another critical vulnerability in FortiClient EMS (CVE-2026-21643) was reported, raising concerns about the security posture of the FortiClient product line. The rapid succession of these vulnerabilities suggests a potentially systemic issue that organizations must address with urgency. Security experts have noted that the exploitation of CVE-2026-35616 may not be isolated, as it remains unclear whether the same threat actor is behind both vulnerabilities, leading to speculation about coordinated attacks against Fortinet products. This incident underscores the need for organizations to remain vigilant and proactive in their cybersecurity measures. Additionally, the relatively small internet-facing footprint of FortiClient EMS, estimated at about 100 exposed instances, could mitigate some risk, but the potential for targeted attacks remains high.