Cybersecurity firm Fortinet released emergency patches late last week to address a critical access control vulnerability within its FortiClient Enterprise Management Server (EMS). Tracked as CVE-2026-35616, the vulnerability carries a CVSS score of 9.1 and allows unauthenticated attackers to execute arbitrary code or commands via specially crafted requests.
Fortinet has confirmed that the vulnerability has been exploited in the wild since March 31. The company is urging customers to immediately update to FortiClient EMS versions 7.4.5 or 7.4.6. This marks the second critical vulnerability in the product to be targeted by attackers in just a few weeks, following the active exploitation of CVE-2026-21643.
CISA Issues Remediation Mandate
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog this past Monday. Under the agency's binding operational directive, all U.S. federal agencies are required to deploy the patch by Thursday.
Fortinet declined to provide specific details regarding the identity of the attackers or the number of affected customers. A company spokesperson stated only that the Product Security Incident Response Team (PSIRT) is actively managing the situation and has been in direct contact with affected customers to provide necessary guidance.
Benjamin Harris, CEO of security research firm watchTowr, confirmed to the media that their honeypot infrastructure first detected exploitation attempts targeting this vulnerability on March 31. Ryan Dewhurst, the company’s head of threat intelligence, noted that while initial activity was cautious and slow, the frequency of attacks escalated rapidly thereafter.
Caitlin Condon, vice president of security research at VulnCheck, noted that the silver lining is the relatively low number of FortiClient EMS instances directly exposed to the internet. Her team’s analysis suggests there are only about 100 publicly accessible instances. Nevertheless, given the history of state-sponsored hacking groups from Russia and China targeting Fortinet products, organizations are advised to remain highly vigilant.
