Fortinet Patches Actively Exploited FortiClient EMS Flaw, Urges Immediate Upgrade

Attackers were already inside vulnerable networks when Fortinet pushed an emergency hotfix on April 5 for a critical flaw in FortiClient Enterprise Management Server, a platform used by large organizations to centrally manage endpoint security across corporate estates. The vulnerability, tracked as CVE-2026-35616, allowed unauthenticated attackers to bypass authentication and authorization controls entirely and execute commands or code on exposed EMS instances without any credentials.

Security firm Defused, which reported the bug to Fortinet under responsible disclosure procedures, described it as a pre-authentication API access bypass and confirmed it had observed active exploitation in the wild before the disclosure went public. Fortinet credited Defused and individual researcher Nguyen Duc Anh in its patch notes. The flaw affects FortiClient EMS versions 7.4.5 and 7.4.6; version 7.2 is not affected.

The exposure footprint is substantial. Internet security watchdog Shadowserver identified more than 2,000 internet-accessible FortiClient EMS instances, with a significant concentration in the United States and Germany. Because EMS sits at the center of enterprise endpoint management, a pre-authentication break there gives attackers a high-leverage entry point: they can deploy malware, alter endpoint protection configurations, harvest credentials, or move laterally through victim networks with minimal friction.

Fortinet published hotfixes for the two affected releases and instructed customers to apply them immediately, framing the patch as an emergency change rather than routine maintenance. A full fix is expected in the forthcoming version 7.4.7. Where immediate patching is not possible, security teams were advised to firewall management interfaces and monitor logs for anomalous API activity.

The combination of public disclosure and confirmed in-the-wild exploitation sharply elevated the risk of mass automated scanning and weaponized exploit tooling in the hours and days following the announcement. Security operations centers were urged to treat CVE-2026-35616 as a top priority and coordinate patching, detection, and threat-hunting across all affected EMS instances. The episode reinforces a pattern security researchers have flagged repeatedly: management and orchestration platforms are high-value targets precisely because compromising one can cascade across an entire enterprise environment in a single move.