Critical Vulnerabilities (CVSS ≥ 8.0)

• CVE-2026-35616 CVSS: 9.8
  Product: Fortinet FortiClient EMS 7.4.5 through 7.4.6
  Type: Improper Access Control (CWE-284)
  Impact: An unauthenticated attacker can execute unauthorized code or commands via crafted requests. This is a pre-authentication API access bypass that completely sidesteps authentication and authorization protections.
  Active Exploitation: Confirmed in the wild since March 31, 2026. Listed in CISA’s Known Exploited Vulnerabilities Catalog as of April 6, 2026.
  References: NVD Detail | CISA KEV | Fortinet PSIRT

⚡ Immediate Actions Required

Priority 1 – URGENT (Within 24 hours):

• Install Fortinet hotfixes immediately for FortiClient EMS 7.4.5 and 7.4.6
• Upgrade to FortiClient EMS 7.4.7 when available
• Restrict network access to EMS management and agent-facing services to trusted hosts only until patching is complete
• Identify all FortiClient EMS 7.4.5 and 7.4.6 instances in your environment

Priority 2 – Detection & Response:

• Review access logs for suspicious API requests to FortiClient EMS endpoints
• Search for indicators of compromise related to unauthorized code execution on affected servers
• Monitor for lateral movement from compromised EMS systems to managed endpoints
• Verify patching with security testing tools to confirm the attack path is closed

Additional Context: This vulnerability follows CVE-2026-21643 (also CVSS 9.1), another critical FortiClient EMS flaw actively exploited last week. Both were discovered by cybersecurity firm Defused. The convergence of multiple zero-day exploits targeting FortiClient EMS indicates coordinated threat activity. Over 2,000 exposed FortiClient EMS instances have been identified online, with concentrations in the USA and Germany.