Critical Fortinet FortiClient EMS flaw is under active exploitation and needs an immediate hotfix
5 min. read 
Published on
Fortinet has warned customers about a critical FortiClient EMS vulnerability that can let an unauthenticated attacker execute unauthorized code or commands through crafted API requests. The flaw is tracked as CVE-2026-35616 and affects FortiClient EMS 7.4.5 and 7.4.6.
Fortinet says it has observed exploitation in the wild and urges affected customers to install emergency hotfixes right away. CISA has also added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, which means the US agency has evidence of active exploitation and has set an April 9 remediation deadline for federal agencies.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue sits in the API layer of FortiClient Endpoint Management Server. Fortinet describes it as an improper access control flaw that may allow an unauthenticated attacker to bypass protections and run unauthorized code or commands.
Who is affected and what to install
Affected versions are limited to FortiClient EMS 7.4.5 and 7.4.6. Fortinet says FortiClient EMS 7.2 is not affected, and the company has already remediated the issue in FortiClient Cloud and FortiSASE, so those customers do not need to take action for this bug.
Fortinet says customers on 7.4.5 and 7.4.6 should follow the hotfix instructions in the official EMS release notes now. The company also says FortiClient EMS 7.4.7 will include a permanent fix, but the currently available hotfix is sufficient to fully prevent exploitation in the meantime.
The severity scoring is slightly messy across sources. Fortinet’s advisory lists the issue as Critical with a CVSS v3 score of 9.1, while the NVD entry currently shows a CNA contributed CVSS 3.1 base score of 9.8 from Fortinet. Either way, defenders should treat this as an urgent internet facing remote attack risk.
What makes this bug dangerous
Fortinet classifies the flaw under CWE-284, improper access control. The public description says the attacker does not need to log in first, which sharply raises the risk for organizations that expose EMS management interfaces to the internet or to less trusted internal segments.
Public reporting and defender writeups describe the issue as a pre-authentication API access bypass. In practice, that means a hostile request can sidestep normal API authentication and authorization checks, then reach privileged actions that should be restricted to trusted administrators.
This also lands just days after another actively exploited FortiClient EMS issue, CVE-2026-21643. Security researchers say it is still not clear whether the same actor is behind both campaigns or whether attackers are chaining the two vulnerabilities together, but the repeat targeting suggests FortiClient EMS has become a high priority target.
One detail worth noting
Fortinet’s advisory summary clearly says the company has observed exploitation in the wild. However, the same advisory page also shows a metadata field reading “Known Exploited: No.” Since CISA added the flaw to its KEV catalog on April 6, the safer reading is that active exploitation is confirmed and the “Known Exploited” field likely lagged behind the advisory text or was not updated consistently.
That matters because some security teams rely on a single field or dashboard flag when they triage patching. In this case, the stronger signal comes from the advisory text itself and from CISA’s KEV listing, both of which point to active exploitation.
Fortinet credits Simo Kohonen from Defused and Nguyen Duc Anh for reporting the vulnerability under responsible disclosure. Security reporting says Defused observed zero-day exploitation before public disclosure, and watchTowr later said its honeypot systems also captured exploitation activity starting on March 31.
Quick response checklist
| Item | Action |
|---|---|
| FortiClient EMS 7.4.5 or 7.4.6 | Apply Fortinet’s emergency hotfix immediately. |
| FortiClient EMS 7.2 | No action required for this CVE. |
| FortiClient Cloud / FortiSASE | Fortinet says the issue is already remediated. |
| Future upgrade path | Plan to move to 7.4.7 once released. |
| Federal agencies | Patch by April 9 under CISA KEV guidance. |
What defenders should do now
- Apply the out of band hotfix on any affected EMS server immediately.
- Restrict external access to EMS management interfaces while patching is underway. This is a defensive best practice based on the network reachable, unauthenticated nature of the flaw.
- Review EMS logs for unusual API activity and unauthenticated requests, especially if the server was exposed before patching. Fortinet and third-party reporting both point to API abuse as the attack path.
- Treat any unpatched internet exposed EMS deployment as high risk until the hotfix is installed and verified.
FAQ
It is a critical improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6 that may allow an unauthenticated attacker to execute unauthorized code or commands through crafted requests.
Yes. Fortinet’s advisory says the company observed exploitation in the wild, and CISA added the bug to its Known Exploited Vulnerabilities catalog on April 6, 2026.
FortiClient EMS 7.4.5 and 7.4.6 are affected. FortiClient EMS 7.2 is not affected, and FortiClient Cloud and FortiSASE have already been remediated according to Fortinet.
Fortinet says affected customers should apply the emergency hotfix now and then upgrade to FortiClient EMS 7.4.7 when it becomes available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages