Fortinet released an emergency hotfix for a critical pre-authentication access control vulnerability in FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-35616, which is being actively exploited in the wild. Customers running FortiClient EMS 7.4.5 and 7.4.6 are urged to install the provided hotfixes or upgrade to 7.4.7 to mitigate the risk, after Defused reported the zero-day and Shadowserver identified over 2,000 exposed instances. #FortiClientEMS #CVE-2026-35616
Keypoints
- CVE-2026-35616 is a pre-authentication API access bypass that allows unauthenticated attackers to execute commands or code.
- FortiClient EMS versions 7.4.5 and 7.4.6 are affected, while 7.2 is not impacted.
- Fortinet published hotfixes for 7.4.5 and 7.4.6 and will include the fix in the upcoming 7.4.7 release.
- Security firm Defused discovered the zero-day and reported observed exploitation; Fortinet also credited Nguyen Duc Anh.
- Shadowserver located over 2,000 exposed FortiClient EMS instances online, mainly in the USA and Germany, heightening exploitation risk.