Under Active Attack: Critical 9.1 CVSS FortiClient EMS Flaw Exploited in the Wild

Security teams are on high alert as Fortinet confirms that a critical vulnerability in its FortiClient EMS (Endpoint Management Server) is currently being leveraged by attackers in active campaigns. The flaw, tracked as CVE-2026-35616, carries a CVSS score of 9.1, marking it as a top-tier threat to enterprise perimeter security.

The issue is categorized as an Improper Access Control vulnerability [CWE-284]. In practical terms, this means the “gatekeeper” responsible for checking identities at the API level can be tricked into letting unauthorized visitors through.

Because this flaw affects API authentication and authorization, an unauthenticated attacker can send “crafted requests” to the server. Once they’ve bypassed these checks, they gain the ability to execute unauthorized code or commands directly on the FortiClient EMS.

What makes this disclosure particularly pressing is that it isn’t just a theoretical risk. “Fortinet has observed this to be exploited in the wild” and is urging all vulnerable customers to take immediate action.

Attackers often use these “initial access” vectors to move laterally through a corporate network, deploying ransomware or stealing sensitive data.

The scope of the impact is currently limited to specific versions of the 7.4 branch:

• Affected Versions: FortiClientEMS 7.4.5 through 7.4.6.
• Safe Versions: FortiClientEMS 7.2 and older branches are not affected by this specific bug.

The upcoming FortiClientEMS 7.4.7 will include a permanent fix. Fortinet has released specific hotfixes for versions 7.4.5 and 7.4.6.

Action Plan for Administrators:

1. Identify your version: Check if you are running FortiClientEMS 7.4.5 or 7.4.6.
2. Apply the Hotfix: Follow the official documentation to install the emergency patch immediately.
3. Prepare for 7.4.7: Plan to upgrade to version 7.4.7 or above as soon as it is released to ensure long-term stability and security.

Update:

The urgency surrounding this critical flaw reached a new peak on April 6, 2026, when the Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog. CISA warns that this type of improper access control is a “frequent attack vector for malicious cyber actors” and now poses “significant risks to the federal enterprise.” Consequently, Federal Civilian Executive Branch (FCEB) agencies have been issued a strict mandate to remediate the vulnerability by April 9, 2026. This accelerated timeline underscores the severity of the active exploitation.