A critical zero-day vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) has been exploited by hackers since late March, prompting Fortinet to release an emergency hotfix. This flaw, identified as CVE-2026-35616, allows attackers to execute arbitrary code remotely without authentication, posing a significant risk to organizations using the affected software versions. The vulnerability has been rated 9.1 out of 10 on the Common Vulnerability Scoring System, indicating its severity.
FortiClient EMS is widely used by organizations to manage and monitor endpoint systems, making this vulnerability particularly concerning. The flaw affects versions 7.4.5 and 7.4.6 of the software, with a fix planned for the upcoming version 7.4.7. While FortiClient Cloud and FortiSASE have been patched server-side, on-premises deployments remain vulnerable. Security firm watchTowr first detected the exploitation of this vulnerability on March 31, just days before Fortinet's advisory and hotfix were released.
The vulnerability stems from an authentication bypass issue due to improper access control in the FortiClient EMS API. This allows attackers to execute code on the server without needing valid credentials or user interaction. This incident follows another FortiClient EMS vulnerability earlier this year, which involved an SQL injection flaw. However, there is no confirmed link between the two vulnerabilities, and no specific threat actor has been identified as responsible for the current exploit.
Organizations using FortiClient EMS should immediately apply the available hotfix to mitigate the risk of exploitation. Additionally, they should review logs for any suspicious API requests or activity, as there are currently no published indicators of compromise. Security firm watchTowr advises auditing recent changes to security policies, VPN configurations, and access controls to detect any unauthorized modifications.
In cases where compromise is suspected, it is recommended not to attempt cleaning the affected instance in place. Instead, organizations should restore from a known-good backup taken before the suspected compromise or rebuild the EMS instance entirely. This approach ensures the integrity of the system and minimizes the risk of further exploitation.
Source: https://www.csoonline.com/article/4155221/fortinet-releases-emergency-hotfix-for-forticlient-ems-zero-day-flaw.html