194/69 Tuesday, April 7, 2026
Fortinet has issued an urgent advisory and patch to address a critical vulnerability in FortiClient EMS, tracked as CVE-2026-35616 (CVSS 9.1), which has already been actively exploited in the wild. The flaw is a pre-authentication API access bypass that can lead to privilege escalation, allowing unauthenticated attackers to send specially crafted requests to execute unauthorized commands or code on affected systems.
The vulnerability impacts FortiClient EMS versions 7.4.5 to 7.4.6. Fortinet has released a hotfix as an immediate mitigation and plans a full fix in version 7.4.7. The issue was discovered by researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh. According to reports from watchTowr, exploitation attempts were observed as early as March 31, 2026, with evidence suggesting the vulnerability was used as a zero-day prior to public disclosure. The severity is considered high, as attackers can bypass authentication mechanisms and directly compromise systems-potentially leading to malware deployment, lateral movement within networks, or full system takeover. This incident follows another recently exploited FortiClient EMS vulnerability (CVE-2026-21643), raising concerns that attackers may chain multiple flaws together.
Fortinet strongly urges administrators to apply the hotfix or update immediately, especially for systems exposed to the internet, which should be treated as a critical emergency. Since exploitation is already underway, attackers may take advantage of periods when security teams are less active-such as holidays-to increase their chances of success and evade detection.
Source https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html