Cybersecurity vendor Fortinet released an emergency security patch this weekend to address a high-risk vulnerability in its FortiClient Enterprise Management Server (EMS) that is currently being actively exploited in the wild.
Tracked as CVE-2026-35616, the flaw stems from improper access control. Unauthenticated attackers can leverage the vulnerability by sending specially crafted requests to execute arbitrary code or commands on affected servers.
In an official advisory, Fortinet stated: "Fortinet has observed this vulnerability being exploited in the wild and urges affected customers to immediately install the patches for FortiClient EMS versions 7.4.5 and 7.4.6."
The vulnerability was discovered by the cybersecurity firm Defused. On the social media platform X, Defused disclosed that they observed the flaw being exploited as a zero-day earlier in the week, prior to their responsible disclosure to Fortinet.
Patching and Scope of Impact
Fortinet confirmed that FortiClient EMS versions 7.4.5 and 7.4.6 are affected by this vulnerability. The company has released patches for these versions and plans to fully resolve the issue in the upcoming release of FortiClient EMS 7.4.7. FortiClient EMS version 7.2 is not affected.
According to data from the internet security monitoring organization Shadowserver, there are currently over 2,000 FortiClient EMS instances exposed online globally, with the majority located in the United States and Germany. These exposed servers are at an extremely high risk of compromise.
This marks the second critical vulnerability discovered in FortiClient EMS in recent weeks. Just last week, the product was hit by another actively exploited flaw, CVE-2026-21643. Both vulnerabilities were identified by Defused, and Fortinet extended its gratitude to researcher Nguyen Duc Anh for reporting the issues.
Security experts advise all enterprise users running the affected versions to deploy the patches as soon as possible, or to upgrade immediately upon the release of version 7.4.7, to prevent potential system breaches and data leaks.
