Ethical Hacking News
Fortinet has issued a critical security patch for its FortiClient EMS software after a vulnerability was discovered that allows threat actors to exploit the system without authentication. The patch addresses a CVSS score of 9.1 vulnerability, which has been actively exploited since March 31, 2026.
Fortinet has issued a critical security patch for FortiClient EMS due to a pre-authentication API access bypass vulnerability (CVE-2026-35616) with a CVSS score of 9.1. The issue affects FortiClient EMS versions 7.4.5 and 7.4.6, which has been observed in the wild since March 31, 2026. Unauthenticated attackers can bypass API access controls and execute unauthorized code or commands via crafted requests. A hotfix is available to address this vulnerability, and it will also be included in version 7.4.7 of FortiClient EMS. Organizations using FortiClient EMS are strongly advised to apply the hotfix as soon as possible to prevent exploitation.
Fortinet has issued a critical security patch for its FortiClient EMS (Endpoint Security Management) software, which has been actively exploited by threat actors in the wild. The vulnerability, tracked as CVE-2026-35616, is classified as a pre-authentication API access bypass leading to privilege escalation, with a CVSS score of 9.1.
According to a recent advisory issued by Fortinet, the issue affects FortiClient EMS versions 7.4.5 and 7.4.6, and has been observed in the wild since March 31, 2026, when watchTowr's honeypots detected attempts against its systems. Simo Kohonen from Defused Cyber and Nguyen Duc Anh have been credited with discovering and reporting this vulnerability.
The FortiClient EMS patch addresses a critical flaw that allows an unauthenticated attacker to bypass API access controls and execute unauthorized code or commands via crafted requests. This vulnerability is particularly concerning because it can be exploited without the need for authentication, making it easier for threat actors to gain privileged access to the system.
Fortinet has released a hotfix to address this vulnerability and will also include it in the upcoming version 7.4.7 of FortiClient EMS. However, the company has emphasized that users should take immediate action to patch their systems as soon as possible to prevent exploitation.
It is worth noting that this is not the first critical vulnerability to be discovered in FortiClient EMS in recent weeks. Another recently patched vulnerability (CVE-2026-21643) was also being actively exploited, and it remains unclear if the same threat actor is responsible for exploiting both vulnerabilities.
Benjamin Harris, CEO of watchTowr, has pointed out that the timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental. He noted that attackers often take advantage of holiday weekends to move quickly, when security teams are at half strength and on-call engineers are distracted.
The incident highlights the importance of keeping software up-to-date and patching critical vulnerabilities as soon as possible. Organizations using FortiClient EMS are strongly advised to apply the hotfix as soon as possible to prevent exploitation.
The recent discovery of this vulnerability serves as a reminder that even seemingly secure systems can have hidden weaknesses waiting to be exploited. As security threats continue to evolve, it is essential for organizations to stay vigilant and proactive in protecting their systems against such vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Patches-Critical-Vulnerability-in-FortiClient-EMS-Exposed-to-Active-Exploitation-ehn.shtml
https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
https://www.runzero.com/blog/fortinet-forticlient-ems/
https://nvd.nist.gov/vuln/detail/CVE-2026-35616
https://www.cvedetails.com/cve/CVE-2026-35616/
https://nvd.nist.gov/vuln/detail/CVE-2026-21643
https://www.cvedetails.com/cve/CVE-2026-21643/
https://malware-guide.com/blog/remove-watch-tower-extension
https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
Published: Sun Apr 5 01:21:21 2026 by llama3.2 3B Q4_K_M
