Overview
- Fortinet issued an out-of-band hotfix for FortiClient Enterprise Management Server and told customers on versions 7.4.5 and 7.4.6 to apply it right away, with a permanent fix planned for 7.4.7 and version 7.2 not affected.
- CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, which requires U.S. federal agencies to remediate the issue on an accelerated timeline.
- The bug, rated CVSS 9.1, is an improper access control flaw that lets an unauthenticated attacker bypass the EMS API and run unauthorized code or commands through crafted requests.
- Security firms Defused and watchTowr reported in-the-wild activity before public disclosure, and Fortinet confirmed ongoing exploitation of the zero-day.
- This follows a separate FortiClient EMS SQL injection flaw, CVE-2026-21643, that was also exploited, raising stakes because seizing the EMS console can push malicious updates to entire device fleets.