FORTINET issued an emergency patch for a FortiClient EMS zero-day that has been exploited in the wild, tracked as CVE-2026-35616. Fortinet describes the flaw as an improper access control vulnerability in FortiClient EMS, noting a pre-authentication API access bypass and a 9.1 CVSS score, which could allow an unauthenticated attacker to execute code through crafted requests.
In its security advisory, Fortinet confirmed the flaw is being exploited and urged customers to install a hotfix for FortiClient EMS versions 7.4.5 and 7.4.6; Fortinet also said FortiClientEMS 7.4.7 will include a fix. The company credited Simo Kohonen and security researcher Nguyen Duc Anh with discovering and reporting the flaw, while noting it remains unclear who is behind the attacks but that exploitation appears to be limited.
The Cybersecurity and Infrastructure Security Agency added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog, and U.S. federal agencies must address the FortiClient zero-day by 9 April. Fortinet previously tracked a separate FortiClient EMS vulnerability, CVE-2026-21643, which was exploited late last month.