Fortinet has issued an urgent security update over the weekend to address a newly discovered critical vulnerability in its FortiClient Enterprise Management Server (EMS). Tracked as CVE-2026-35616, the flaw is an improper access control issue that enables unauthenticated attackers to execute arbitrary code or commands by sending specially crafted requests to the server. The company confirmed that this vulnerability is already being actively exploited in the wild, prompting the emergency release of a patch outside of its normal update cycle. Organizations are urged to apply the fix immediately to prevent potential compromise.
The vulnerability specifically impacts FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet has released hotfixes for these versions and stated that the fix will also be included in the upcoming FortiClient EMS 7.4.7 release. Notably, version 7.2 of the software is not affected. The flaw was discovered by cybersecurity researchers at Defused, who described it as a pre-authentication API access bypass. This type of vulnerability allows threat actors to completely circumvent the system's authentication and authorization controls, providing a direct path to command execution on the server.
According to Defused, the vulnerability was being exploited as a zero-day earlier this week before the firm responsibly disclosed it to Fortinet. The rapid transition from discovery to active exploitation underscores the high value attackers place on such flaws in widely deployed enterprise management tools. Internet infrastructure monitoring organization Shadowserver has already detected over 2,000 instances of FortiClient EMS exposed on the public internet, representing a significant attack surface for threat actors to target.
This incident is part of a broader trend of attackers aggressively targeting vulnerabilities in network security and management appliances. The ability to bypass authentication on a central management server like FortiClient EMS is particularly dangerous, as it could grant attackers persistent access to managed endpoints across an entire organization. Security teams responsible for Fortinet environments must prioritize applying the provided hotfixes. Continuous monitoring for suspicious activity and ensuring such management interfaces are not unnecessarily exposed to the internet are critical complementary defensive measures.
