Overview
- Fortinet, which issued a Saturday advisory, confirmed active attacks and released hotfixes for FortiClient EMS 7.4.5 and 7.4.6.
- The flaw, tracked as CVE-2026-35616 with a CVSS score of 9.1, is an improper access control bug that enables pre-login API access and remote command execution.
- Defused Cyber reported seeing zero-day use earlier in the week, and watchTowr logged honeypot hits on March 31 targeting the same weakness.
- A full fix is planned in version 7.4.7, while Fortinet says the 7.2 branch is not affected and urges immediate installation of the interim patches.
- Security teams are urged to patch and lock down public access because Shadowserver counted more than 2,000 EMS consoles exposed online, mostly in the U.S. and Germany.