FORTINET has released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616, which is already being exploited in the wild and carries a CVSS score of 9.1. The flaw is described as an improper access control issue that allows an unauthenticated attacker to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.
Fortinet has observed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install the hotfixes, with a permanent fix planned for version 7.4.7. The advisory notes that the vulnerability involves an unauthenticated API access bypass, and Fortinet’s disclosures credit Simo Kohonen from Defused and Nguyen Duc Anh for responsibly reporting the issue after observing active exploitation.
Fortinet’s post also references in-the-wild exploitation earlier this week and the need for vulnerable customers to apply the fixes promptly, as reported by Security Affairs. According to Fortinet.