FORTINET has released out-of-band patches for a critical flaw in FortiClient EMS that has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), is described as a pre-authentication API access bypass leading to privilege escalation, allowing an unauthenticated attacker to execute code or commands via crafted requests. The issue affects FortiClient EMS versions 7.4.5 through 7.4.6, with a full fix expected in version 7.4.7, although a hotfix has already been issued to address it.
Defused Cyber researchers Simo Kohonen and Nguyen Duc Anh were credited with discovering and reporting the flaw, and watchTowr has noted exploitation activity against its honeypots beginning on 31 March 2026. Fortinet urged vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 as a matter of urgency, as exploitation in the wild has been observed.