Fortinet Issues Emergency Patch for FortiClient EMS Zero-Day Exploited in the Wild
Fortinet has released an emergency hotfix for a critical FortiClient EMS vulnerability, CVE-2026-35616, that is being actively exploited to allow unauthenticated remote code execution.
Fortinet has issued an emergency patch for a critical vulnerability in its FortiClient Enterprise Management Server (EMS) after confirming the flaw is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-35616, carries a CVSS score of 9.1 and stems from improper access control in the API layer. An unauthenticated attacker can send crafted requests to bypass authentication and execute arbitrary code or commands on the EMS server, potentially compromising the entire endpoint management infrastructure.
The emergency hotfix covers FortiClient EMS versions 7.4.5 and 7.4.6, with the upcoming version 7.4.7 expected to include a permanent fix. Cybersecurity firm Defused, which discovered the vulnerability and reported it to Fortinet, said it observed the flaw being exploited as a zero-day earlier last week. In a social media post, Defused explained that the vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, enabling unauthorized code execution via crafted requests.
Separately, Fortinet is also warning about a second critical vulnerability in the same platform, CVE-2026-21643, a SQL injection flaw with a CVSS score of 9.8 that is also being exploited in the wild. This vulnerability allows unauthenticated attackers to execute unauthorized code through specially crafted HTTP requests. For this flaw, Fortinet has urged customers to upgrade to version 7.4.5 or later, or at minimum disconnect the administrative web interface from the internet.
The exploitation of these vulnerabilities poses a severe risk to organizations. By hijacking the FortiClient EMS, threat actors can push malicious updates to endpoints, deploy ransomware, conduct espionage, or launch deeper attacks into cloud systems. Indicators of compromise for the SQL injection flaw include HTTP 500 errors on the `/api/v1/init_consts` endpoint, unusual database error messages in PostgreSQL logs, and the presence of unauthorized remote monitoring and management tools.
Endpoint management solutions have become a prime target for attackers due to the privileged access they provide to an organization's entire device fleet. This incident marks the second time in recent years that Fortinet has had to address a critical SQL injection vulnerability in FortiClient EMS; a similar flaw was patched in 2024. Customers are strongly advised to apply the hotfix immediately and review their environments for signs of compromise.