FORTINET disclosed a critical vulnerability in FortiClient EMS (Enterprise Management Server) tracked as CVE-2026-35616, described as an API authentication and authorization bypass that can allow an unauthenticated attacker to execute commands or code. Fortinet has observed exploitation in the wild and released out-of-band hotfix guidance for affected builds, with a CVSS v3 score of 9.1.
The advisory lists FortiClientEMS 7.4.5 and 7.4.6 as affected, while 7.2 is not affected; Fortinet notes a permanent fix is expected in FortiClientEMS 7.4.7. Shadowserver has identified roughly 2,000 FortiClient EMS instances reachable worldwide, with the United States and Germany accounting for the largest shares, and attackers have exploited not only CVE-2026-35616 but also CVE-2026-21643.
Key timeline points include exploitation observed against honeypots on March 31, 2026, the FG-IR-26-099 advisory published on April 4, 2026, and broader media coverage on April 5, 2026. According to Fortinet's advisory FG-IR-26-099, if you run 7.4.5 or 7.4.6, you should install the hotfix and review recent EMS logs and admin actions.