FORTINET rushed emergency fixes over the weekend for a FortiClient EMS vulnerability that has been exploited as a zero-day. The flaw, described as an improper access control issue, is tracked as CVE-2026-35616 with a CVSS of 9.1 and could enable remote code execution by unauthenticated attackers. According to Fortinet’s advisory, remote attackers could send crafted requests to a vulnerable FortiClient EMS to trigger the bug, and successful exploitation does not require authentication.
Fortinet observed this vulnerability being exploited in the wild, and on Saturday announced hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6, with 7.2 not affected. The company also noted that FortiClient EMS 7.4.7 will include a fix, but the published hotfixes are currently sufficient to prevent exploitation.
The Shadowserver Foundation says it has observed approximately 2,000 FortiClient EMS instances accessible from the internet, potentially exposed to this zero-day as well as CVE-2026-21643, a recently patched SQL injection.