Critical Fortinet FortiClient EMS 0-Day Vulnerability Actively Exploited in the Wild

Fortinet has issued an emergency hotfix after security researchers disclosed a critical zero-day vulnerability in FortiClient EMS that is already being actively exploited by threat actors.

Tracked as CVE-2026-35616 and carrying a CVSSv3 score of 9.1 (Critical), the flaw enables unauthenticated attackers to bypass API authentication and authorization controls entirely, allowing them to execute arbitrary code or commands on vulnerable systems.

The vulnerability, classified under CWE-284 (Improper Access Control), resides in the API layer of FortiClient Endpoint Management Server (EMS).

Successful exploitation does not require any prior authentication, user interaction, or elevated privileges, making it particularly dangerous for organizations with internet-exposed EMS deployments.

An unauthenticated remote attacker can send specially crafted API requests to bypass all authentication and authorization checks, effectively gaining full control over endpoint management operations.

The attack vector is network-based, the complexity is low, and the impact spans confidentiality, integrity, and availability conditions that directly account for its near-maximum CVSS rating.

Fortinet’s advisory (FG-IR-26-099) lists the vulnerability’s primary impact as privilege escalation, with active in-the-wild exploitation confirmed by the vendor.

Fortinet FortiClient EMS 0-Day

Only FortiClient EMS versions 7.4.5 and 7.4.6 are affected. FortiClient EMS 7.2. x is not affected and requires no action. The upcoming FortiClient EMS 7.4.7 will include a permanent fix, but Fortinet has made emergency hotfixes available immediately for both affected branches while that release is finalized.

The vulnerability was discovered by Simo Kohonen from threat intelligence firm Defused and independent researcher Nguyen Duc Anh.

Defused observed active in-the-wild exploitation of the flaw earlier this week before reporting it to Fortinet under responsible disclosure protocols. The discovery was made using Defused’s upcoming Radar feature, set to launch next week, which is designed to surface novel exploitation activity in real time.

https://twitter.com/DefusedCyber/status/2040315969159995847?ref_src=twsrc%5Etfw

Upon receiving the report, Fortinet moved swiftly, publishing its advisory and releasing the emergency hotfix on April 4, 2026, the same day as initial publication.

Fortinet strongly urges all customers running affected versions to apply the emergency hotfix immediately. Detailed installation instructions are available through the official FortiClient EMS release notes for each affected build:

• FortiClient EMS 7.4.5: Follow hotfix instructions in the 7.4.5 EMS release notes via the Fortinet documentation portal
• FortiClient EMS 7.4.6: Follow hotfix instructions in the 7.4.6 EMS release notes via the Fortinet documentation portal

Organizations should also monitor their EMS logs for anomalous API activity, particularly unauthenticated requests that may indicate prior exploitation attempts.

Where possible, restricting external access to the EMS management interface at the network perimeter adds a meaningful layer of defense while patching is completed.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Fortinet FortiClient EMS 0-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.