Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Exploited — CVSS 9.8
Summary
Fortinet issued emergency hotfixes for a critical zero-day vulnerability CVE-2026-35616 (CVSS 9.8) in FortiClient EMS versions 7.4.5 and 7.4.6. The improper access control flaw allows unauthenticated attackers to execute unauthorized code via crafted requests. Public proof-of-concept exploits are available and active exploitation has been confirmed in the wild.
Threat Analysis
CVE-2026-35616 is a critical improper access control vulnerability (CWE-284) in Fortinet FortiClient Endpoint Management Server (EMS) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to bypass API authentication and authorization mechanisms, enabling execution of unauthorized code or commands via crafted requests. A full system compromise is possible, affecting confidentiality, integrity, and availability.
Affected Products: FortiClient EMS versions 7.4.5 and 7.4.6. The 7.2 branch and older versions are not affected.
Exploitation Status: Actively exploited in the wild. Public proof-of-concept (PoC) exploits are available on GitHub. Defused Cyber initially identified the active exploitation, which Fortinet subsequently confirmed. Attackers can use this for initial access, lateral movement, ransomware deployment, or data theft.
Recommended Mitigations: Immediately apply Fortinet emergency hotfixes for FortiClient EMS 7.4.5 and 7.4.6. Plan to upgrade to version 7.4.7 when released for a permanent fix. Restrict internet-facing exposure of FortiClient EMS and monitor for unauthorized API access.