Fortinet FortiClientEMS Vulnerability Exploited in the Wild (CVE-2026-35616)

Fortinet has addressed a critical vulnerability, CVE-2026-35616, affecting FortiClient Endpoint Management Server (EMS) versions 7.4.5 through 7.4.6. This flaw carries a CVSS score of 9.1 and is actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities Catalog. Successful exploitation allows unauthenticated attackers to execute unauthorized code or commands via crafted requests, posing a significant risk to centralized endpoint management infrastructure. This incident follows another critical exploitation (CVE-2026-21643), though attribution remains unclear. Qualys assigns a Vulnerability Score of 95 due to active exploitation indicators. Organizations must immediately upgrade to FortiClient EMS version 7.4.7 or apply available hotfixes to mitigate risk. Delaying patches exposes networks to potential compromise. Users should monitor Qualys Threat Protection for further coverage and consult Fortinet PSIRT Advisory FG-IR-26-099 for detailed remediation instructions to secure their environments against this active threat.

Fortinet released a security advisory to address an actively exploited vulnerability impacting FortiClientEMS. Tracked as CVE-2026-35616, the vulnerability has a critical severity rating with a CVSS score of 9.1. Successful exploitation may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Simo Kohonen from Defused and Nguyen Duc Anh discovered and reported the vulnerability to Fortinet. CISA … Continue reading "Fortinet FortiClientEMS Vulnerability Exploited in the Wild (CVE-2026-35616)"

Fortinet has addressed a critical vulnerability, CVE-2026-35616, affecting FortiClient Endpoint Management Server (EMS) versions 7.4.5 through 7.4.6. This flaw carries a CVSS score of 9.1 and is actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities Catalog. Successful exploitation allows unauthenticated attackers to execute unauthorized code or commands via crafted requests, posing a significant risk to centralized endpoint management infrastructure. This incident follows another critical exploitation (CVE-2026-21643), though attribution remains unclear. Qualys assigns a Vulnerability Score of 95 due to active exploitation indicators. Organizations must immediately upgrade to FortiClient EMS version 7.4.7 or apply available hotfixes to mitigate risk. Delaying patches exposes networks to potential compromise. Users should monitor Qualys Threat Protection for further coverage and consult Fortinet PSIRT Advisory FG-IR-26-099 for detailed remediation instructions to secure their environments against this active threat. Fortinet released a security advisory to address an actively exploited vulnerability impacting FortiClientEMS. Tracked as CVE-2026-35616, the vulnerability has a critical severity rating with a CVSS score of 9.1. Successful exploitation may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Simo Kohonen from Defused and Nguyen Duc Anh discovered and reported the vulnerability to Fortinet. CISA … Continue reading "Fortinet FortiClientEMS Vulnerability Exploited in the Wild (CVE-2026-35616)" Fortinet released a security advisory to address an actively exploited vulnerability impacting FortiClientEMS. Tracked as CVE-2026-35616, the vulnerability has a critical severity rating with a CVSS score of 9.1. Successful exploitation may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Simo Kohonen from Defused and Nguyen Duc Anh discovered and reported the vulnerability to Fortinet. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before April 9, 2026. FortiClient Endpoint Management Server is a security management solution that enables users to manage multiple endpoints (computers) in a centralized, scalable manner. It provides visibility across the network and allows users to assign security profiles to endpoints, automatically manage devices, and troubleshoot FortiClient EMS. This development follows just days after a recently patched critical vulnerability in FortiClient EMS ( CVE-2026-21643 , CVSS score: 9.1) that was actively exploited. It’s unclear if the same threat actor is behind both vulnerabilities or if they’re being chained together. Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-35616. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more. Affected Versions The vulnerability affects FortiClientEMS versions 7.4.5 through 7.4.6 . Mitigation Users must upgrade to FortiClient EMS 7.4.7 or later to patch the vulnerability. Please refer to the Fortinet PSIRT Advisory (FG-IR-26-099) for more information. Workaround Fortinet suggests customers install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 by following the instructions at: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 – for FortiClientEMS 7.4.5 https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 – for FortiClientEMS 7.4.6 Qualys Detection Qualys customers can scan their devices with QIDs 386970 and 531112 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities. References https://fortiguard.fortinet.com/psirt/FG-IR-26-099