Fortinet customers have been urged to update their FortiClient Enterprise Management Server (EMS) products after the vendor was forced to issue an emergency patch over the weekend.
CVE-2026-35616 is a critical (CVSS 9.1) improper access control vulnerability which could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the vendor said. “Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely.”
Cybersecurity vendor Defused explained that it had seen the vulnerability being exploited in zero-day attacks earlier last week and notified Fortinet accordingly.
“The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests,” Defused said in a social media post.
Second Critical Flaw in a Week
Defused also discovered another critical vulnerability in the FortiClient EMS platform last week, also being exploited in the wild.
CVE-2026-21643 is an SQL injection flaw with a CVSS score of 9.8 which could allow unauthenticated attackers to execute unauthorized code via specifically crafted HTTP requests.
By hijacking organizations’ endpoint management infrastructure, threat actors could push malicious updates to endpoints and launch deeper attacks into cloud systems, for possible espionage and ransomware.
For that specific vulnerability, customers were urged to upgrade to version 7.4.5 or later, or at least disconnect the administrative web interface from the internet. Indicators of compromise (IoCs) included HTTP 500 errors on the /api/v1/init_consts endpoint; unusual database error messages in PostgreSQL logs; and unauthorized remote monitoring and management tools.
Endpoint management solutions are a popular target for threat actors given the access they provide to company device fleets. This can be weaponized in ransomware, cyber espionage or destructive attacks.
In 2024, Fortinet was forced to patch a critical SQL injection vulnerability in FortiClientEMS which could have enabled remote code execution (RCE) on targeted servers.