Second FortiClient EMS zero-day in a week actively exploited — emergency hotfix released (CVE-2026-35616)

Photo by FlyD on Unsplash

What happened

Fortinet released an emergency out-of-band hotfix over the weekend for CVE-2026-35616 (CVSS 9.1), a critical improper-access-control vulnerability in FortiClient Enterprise Management Server (EMS).

The flaw allows an unauthenticated remote attacker to bypass API authentication and authorization entirely, then execute arbitrary code or commands via crafted requests. Fortinet confirmed active exploitation in the wild.

On April 6, CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch by April 9, 2026.

This is the second actively-exploited FortiClient EMS zero-day in a single week, following CVE-2026-21643 (also CVSS 9.1), which was disclosed and exploited just days earlier. Both were discovered by cybersecurity firm Defused. It is currently unknown whether the same threat actor is behind both exploitation campaigns.

Why this matters

• Pre-authentication bypass: no credentials needed — attackers can execute code remotely against any exposed instance.
• Over 2,000 exposed instances found by Shadowserver, concentrated in the US and Germany.
• Exploitation ramping up: watchTowr observed initial probing on March 31; as of April 6, exploitation has “ramped up, indicating growing attacker interest and likely broader targeting.”
• Back-to-back zero-days in the same product suggest either a single attacker with deep product knowledge or independent researchers racing to find related flaws.

How to check if you’re affected

Potentially affected systems

• FortiClient EMS versions 7.4.5 and 7.4.6
• FortiClient EMS 7.2 is not affected

Concrete verification steps (15-minute triage)

1. Identify your FortiClient EMS version

   • Check via EMS admin console → About, or query installed software inventory.
   • If you’re running 7.4.5 or 7.4.6, you’re in scope.

2. Apply the emergency hotfix immediately

   • FortiClient EMS 7.4.5: install hotfix 7.4.5.2111 (release notes)
   • FortiClient EMS 7.4.6: install hotfix 7.4.6.2170 (release notes)
   • Upgrade to 7.4.7 when released for a permanent fix.

3. Check whether EMS is internet-exposed

   • Review firewall rules, NAT, and reverse-proxy configurations.
   • Restrict EMS access to internal management networks immediately if externally reachable.

4. Hunt for exploitation indicators

   • Review EMS logs for unusual API requests, failed/unexpected authentication patterns, or process execution anomalies starting from March 31.
   • Check for unauthorized admin accounts or configuration changes.

5. Cross-check against CVE-2026-21643

   • If you haven’t already patched the earlier flaw, you have two critical issues to address simultaneously.

Immediate defensive actions

• Apply the hotfix now — do not wait for 7.4.7.
• Restrict EMS management interfaces to trusted internal networks only.
• Monitor for indicators of compromise and investigate any suspicious activity since March 31.
• Review and restrict API access to EMS services.

Sources

• https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
• https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
• https://www.helpnetsecurity.com/2026/04/04/forticlient-ems-zero-day-cve-2026-35616/
• https://cyberscoop.com/fortinet-forticlient-ems-zero-day-cve-2026-35616-hotfix-known-exploited/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Bottom line

This is an emergency-response situation. If you run FortiClient EMS 7.4.5 or 7.4.6, apply the hotfix right now. Attackers already have a head start, and exploitation is actively ramping up. Restrict external access, hunt for compromise indicators, and don’t wait for the full patch release.