Fortinet has urgently rolled out out-of-band patches to address a critical vulnerability in its FortiClient EMS platform, especially after confirming that attackers are actively exploiting the flaw in real-world scenarios.

The vulnerability, identified as CVE-2026-35616 with a CVSS score of 9.1, introduces a serious security risk. Specifically, it allows pre-authentication API access bypass, which can ultimately lead to privilege escalation. As a result, attackers can exploit the flaw without needing prior authentication, making it particularly dangerous.

In its advisory, Fortinet explained, “An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests,” Fortinet said in a Saturday advisory.

Furthermore, the issue impacts FortiClient EMS versions 7.4.5 and 7.4.6. While the company plans a permanent fix in version 7.4.7, it has already released a hotfix to mitigate the threat. Therefore, organizations using affected versions should act immediately to secure their environments.

Meanwhile, security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh discovered and reported the vulnerability. Notably, Defused Cyber revealed on X that zero-day exploitation of this flaw had already begun earlier in the week. In addition, watchTowr confirmed that it first detected exploitation attempts on March 31, 2026, through its honeypot systems.

If successfully exploited, this vulnerability enables attackers to bypass API authentication and authorization mechanisms. Consequently, they can execute malicious commands or deploy unauthorized code through specially crafted requests, significantly compromising affected systems.

Fortinet emphasized the urgency of the situation, stating, “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company added.

Importantly, this incident follows closely after another critical FortiClient EMS vulnerability, CVE-2026-21643, which also carried a CVSS score of 9.1 and faced active exploitation. However, it remains unclear whether the same threat actors are responsible for both attacks or if they are combining these vulnerabilities for more sophisticated campaigns.

According to Benjamin Harris, the timing of these attacks is far from accidental. He noted, “The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,”

He further added, “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

Moreover, Harris highlighted a broader concern, stating, “What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks.”

Finally, he urged immediate action, saying, “So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start.”

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading