Fortinet has issued urgent out-of-band security patches for a critical vulnerability in FortiClient EMS that is currently being exploited by attackers in the wild. This flaw, identified as CVE-2026-35616, allows unauthenticated users to bypass API protections and execute unauthorized commands with elevated privileges.
Fortinet recently addressed a severe security weakness in its FortiClient EMS software after discovering that hackers were actively using it to compromise systems. The vulnerability, which carries a nearly perfect critical severity rating, stems from an improper access control issue within the platforms API. By sending specifically crafted requests, an attacker who has not logged in can bypass existing security checks and gain the ability to run malicious code or commands on the affected server.
This security gap specifically impacts FortiClient EMS versions 7.4.5 and 7.4.6, prompting the company to release an immediate hotfix ahead of a formal version update. Security researchers first noticed the exploitation attempts appearing on honeypots at the end of March 2026, indicating that the flaw was being weaponized as a zero-day before a fix was available. The speed at which this vulnerability was identified and used suggests a highly motivated threat environment targeting enterprise security management tools.
The timing of these attacks appears to be a calculated move by cybercriminals to take advantage of reduced staffing during a holiday weekend. Experts have noted that launching such exploits during a break like Easter allows attackers a longer window to operate before being detected by distracted or diminished security teams. This strategic timing maximizes the potential impact of the breach, as emergency responses are often slower during these periods than on standard business days.
This latest incident marks the second major unauthenticated vulnerability discovered in FortiClient EMS within a very short timeframe. Only days prior, another critical flaw was reported to be under active exploitation, raising significant concerns about the overall security posture of the software. It remains unclear if the same group of attackers is responsible for both campaigns or if different threat actors are simultaneously capitalizing on these weaknesses to gain footholds in corporate networks.
Given the high risk of a full system takeover, administrators are being urged to treat this situation as an immediate emergency rather than a routine update. Fortinet has stressed that customers running the vulnerable versions must apply the provided hotfix immediately to prevent unauthorized access. The repeated targeting of this specific platform highlights a trend where attackers prioritize infrastructure that manages many endpoints, making rapid patching the only effective defense against ongoing exploitation.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-26-099