Fortinet has released an emergency hotfix for a critical pre-authentication API bypass vulnerability in FortiClient EMS that is under active exploitation, marking the second zero-day attack on the platform in weeks.
Fortinet has released an emergency hotfix for a critical security flaw in FortiClient EMS that is actively being exploited in the wild, marking the second zero-day vulnerability in the platform within weeks.
Critical API Bypass Vulnerability Under Attack
The vulnerability, tracked as CVE-2026-35616 with a CVSS score of 9.1, is described as a pre-authentication API access bypass that could lead to privilege escalation. According to Fortinet's advisory, "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests."
Scope and Impact
The flaw affects FortiClient EMS versions 7.4.5 through 7.4.6. While the company expects a full patch in the upcoming version 7.4.7, it has released an immediate hotfix to address the critical issue.
Active Exploitation Confirmed
Multiple security researchers have confirmed active exploitation of the vulnerability:
- Defused Cyber observed zero-day exploitation earlier this week and credited Simo Kohonen with discovering and reporting the flaw
- watchTowr recorded exploitation attempts against its honeypots as early as March 31, 2026
- Fortinet itself confirmed observing the vulnerability being exploited in the wild
Successful exploitation could allow attackers to bypass API authentication and authorization protections entirely, executing malicious code or commands without any authentication requirements.
Second Critical Flaw in Weeks
This vulnerability follows closely on the heels of another recently-patched critical flaw in FortiClient EMS (CVE-2026-21643, CVSS score: 9.1) that was also under active exploitation. Security experts note the concerning pattern of unauthenticated vulnerabilities in the platform.
Expert Analysis and Recommendations
Security researchers emphasize the urgency of applying the hotfix immediately:
"The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental," said Benjamin Harris, CEO and founder of watchTowr. "Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity."
Harris added: "What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks. So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start."
Immediate Action Required
Given the severity and active exploitation, Fortinet urges all affected customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately. Organizations with internet-exposed FortiClient EMS instances should treat this as a critical security incident requiring immediate response.
Broader Context
This incident highlights the ongoing challenges in securing enterprise management systems and the importance of rapid patch deployment. The pattern of zero-day exploitation during holiday periods demonstrates how attackers strategically time their campaigns to maximize impact when security teams are understaffed.
The discovery by independent researchers Kohonen and Nguyen Duc Anh also underscores the critical role of the security research community in identifying and reporting vulnerabilities before they can be widely exploited.
Organizations using FortiClient EMS should verify their current version, apply the hotfix immediately, and monitor for any signs of compromise, particularly if their systems are exposed to the internet.
Comments
Please log in or register to join the discussion