TL;DR
- Fortinet released an emergency weekend patch for a second critical zero-day in FortiClient EMS within one week
- CVE-2026-35616 is an authentication bypass allowing unauthenticated remote code execution
- Over 2,000 FortiClient EMS instances are exposed online, mostly in the USA and Germany
- If you use FortiClient EMS 7.4.5 or 7.4.6, apply the hotfix immediately or upgrade to 7.4.7
- This follows CVE-2026-21643, another critical FortiClient EMS flaw actively exploited
A Second Zero-Day in One Week
For the second time in seven days, Fortinet has rushed out an emergency security patch for its FortiClient Enterprise Management Server (EMS) software. The new vulnerability, tracked as CVE-2026-35616, is already under active exploitation in the wild, with confirmed attacks detected before Fortinet was even warned [1].
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →This zero-day is an improper access control vulnerability that allows unauthenticated attackers to bypass authentication entirely and execute arbitrary code or commands via specially crafted HTTP requests to the EMS management interface [2]. No credentials are required—the attacker only needs network access to the web interface.
What Makes This Vulnerability Dangerous
The vulnerability was discovered by cybersecurity firm Defused, which observed it being exploited as a zero-day in real-world attacks before they reported it to Fortinet under responsible disclosure [3]. This means attackers were actively using the vulnerability before a fix was available—hence the term "zero-day."
According to Fortinet's advisory, CVE-2026-35616 impacts FortiClient EMS versions 7.4.5 and 7.4.6 [4]. The flaw was patched on Saturday (April 4, 2026), with Fortinet explicitly confirming wild exploitation and urging immediate action.
The Attack Surface: 2,000+ Exposed Instances
Internet security watchdog Shadowserver has identified over 2,000 FortiClient EMS instances publicly exposed to the internet, with the majority located in the USA and Germany [5]. Each of these instances represents a potential entry point for attackers exploiting CVE-2026-35616.
FortiClient EMS is a centralized management platform for FortiClient endpoint security agents. A compromised EMS server gives attackers access to:
- Administrative credentials for all managed endpoints
- Complete endpoint inventory and security policies
- Digital certificates for managed devices
- The ability to push malicious updates to endpoints
This makes EMS an exceptionally high-value target—compromising one server can expose an entire organization's endpoint fleet.
Two Zero-Days in Seven Days
CVE-2026-35616 is the second critical FortiClient EMS vulnerability disclosed in a week. The previous flaw, CVE-2026-21643, is a SQL injection vulnerability affecting version 7.4.4 that is also under active exploitation [6].
Both vulnerabilities were discovered by Defused, with Fortinet crediting Nguyen Duc Anh as an additional discoverer for CVE-2026-35616 [7]. The rapid succession of zero-days in the same product suggests intensified vulnerability research and exploitation activity targeting enterprise endpoint management platforms.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Affected Versions and Mitigation
Vulnerable versions:
- FortiClient EMS 7.4.5
- FortiClient EMS 7.4.6
Not affected:
- FortiClient EMS 7.2 (confirmed by Fortinet)
- FortiClient EMS 7.4.7 (upcoming release with the fix)
Immediate actions required:
Apply the emergency hotfix for your version:
- FortiClient EMS 7.4.5: Hotfix 832484
- FortiClient EMS 7.4.6: Hotfix 832484 [8]
Upgrade to 7.4.7 when available for a permanent fix
Restrict network access to the EMS management interface from the internet. If possible, place it behind a VPN or require IP allowlisting
Audit for indicators of compromise, including unusual administrative logins, unexpected policy changes, or suspicious endpoint updates
Why This Matters for Your Business
Fortinet is one of the most widely deployed endpoint security platforms globally. If your business uses FortiClient EMS, this vulnerability represents a critical risk because:
- No authentication required: Attackers don't need stolen credentials or phishing access
- Complete platform compromise: A successful exploit gives attackers control over your entire endpoint security infrastructure
- Active exploitation: This isn't theoretical—attacks are happening right now
- Supply chain risk: Compromised EMS can be used to distribute malware to all managed endpoints
The Bigger Picture: Endpoint Management Under Siege
The back-to-back zero-days in FortiClient EMS reflect a broader trend: attackers are increasingly targeting security management platforms themselves. By compromising the tools used to manage and secure endpoints, attackers gain privileged, trusted access that bypasses many traditional security controls.
This pattern has been repeated across vendors in recent years, affecting VPN appliances, firewall management interfaces, and now endpoint management servers. The lesson: your security infrastructure itself must be secured with the same rigor as the assets it protects.
Related: Understanding Supply Chain Attacks in Cybersecurity
FAQ
No, they are different vulnerabilities. CVE-2026-21643 is a SQL injection flaw in version 7.4.4, while CVE-2026-35616 is an authentication bypass affecting versions 7.4.5 and 7.4.6. Both are critical and both are under active exploitation.
No. Fortinet has confirmed that FortiClient EMS 7.2 is not affected by CVE-2026-35616. However, you should still review the security advisory to ensure your deployment is fully updated.
While internet-exposed instances are at highest risk, internal-only deployments should still be patched. Attackers who gain initial access through other means (phishing, vulnerable VPN, compromised third-party) can move laterally to attack internal EMS servers.
Log into your EMS management console and check the version in Help > About. If it shows 7.4.5 or 7.4.6, you are vulnerable and should apply the hotfix immediately. Version 7.2 and 7.4.4 (for CVE-2026-21643) have separate vulnerabilities to address.
Yes. CVE-2026-35616 is a pre-authentication vulnerability, meaning unauthenticated attackers can exploit it without any valid credentials. The attacker only needs network connectivity to the EMS web interface.
References
[1] BleepingComputer, "New FortiClient EMS flaw exploited in attacks, emergency patch released," April 5, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
[2] Fortinet FortiGuard, "FG-IR-26-099: FortiClient EMS Improper Access Control Vulnerability," April 4, 2026. [Online]. Available: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
[3] Defused Cyber, "FortiClient EMS Zero-Day CVE-2026-35616 Discovery Post," X (formerly Twitter), April 4, 2026. [Online]. Available: https://x.com/DefusedCyber/status/2040315969159995847
[4] Fortinet Documentation, "FortiClient 7.4.5 EMS Release Notes," April 2026. [Online]. Available: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484
[5] Shadowserver Foundation, "FortiClient EMS Exposure Statistics," X (formerly Twitter), April 4, 2026. [Online]. Available: https://x.com/Shadowserver/status/2040845567882928304
[6] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/
[7] The Hacker News, "Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS," April 5, 2026. [Online]. Available: https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
[8] Fortinet Documentation, "FortiClient 7.4.6 EMS Release Notes," April 2026. [Online]. Available: https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484
Your business depends on endpoint security. Don't let a management platform become your biggest weakness. lilMONSTER helps you secure your Fortinet deployment and build defense-in-depth that protects you when vendors miss vulnerabilities. Get a security assessment.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Fortinet makes security software that protects computers
- Someone found a hole in it—twice in one week
- Bad guys are already using this hole to break in
- You need to install an emergency update right now
- Over 2,000 companies are affected worldwide
What Happened?
Imagine you have a really fancy lock on your front door. You trust it completely. Then someone discovers that the lock actually opens if you just wiggle it the right way. That's what happened to Fortinet, a company that makes security software for businesses.
Fortinet makes a program called FortiClient EMS. It's like a remote control for security software on all the computers in a company. When a business has 100 computers, they use EMS to manage security on all of them from one place.
The problem: Someone found a way to trick the EMS program into doing whatever they want—without needing a password.
Think of It Like a Fake Security Guard
Here's an analogy:
Imagine a security guard sitting at a desk. When employees walk in, the guard checks their ID badge and lets them in.
Now imagine an unknown person walks in wearing a special badge that says "I'm the boss." The guard doesn't check any further—just waves them through. Once inside, this fake boss can go anywhere, change any rules, and even tell all the real employees to do the wrong thing.
That's what this vulnerability is like. The EMS program is supposed to check passwords. But someone figured out how to send a fake "I'm allowed in" signal that the program accepts without checking. Once they're in, they control everything.
Why It's Happening Again
This is the second time in one week that someone found a hole in Fortinet's EMS program. That's like discovering your front door lock is broken, fixing it, then discovering your back door lock is broken too.
The first hole (called CVE-2026-21643) was found last week. This new hole (CVE-2026-35616) is completely different but just as dangerous.
Related: What Is a Zero-Day Vulnerability?
How Many Businesses Are Affected?
Security researchers found over 2,000 of these EMS programs exposed to the internet—like having 2,000 houses with broken door locks. Most of them are in the United States and Germany [1].
Each one of these EMS programs controls security for dozens or hundreds of computers. So the actual number of computers at risk could be hundreds of thousands.
What the Bad Guys Can Do
If an unauthorized person breaks into the EMS program, they can:
- See all the computers the company owns
- Turn off security on any computer they want
- Steal passwords from the system
- Install viruses on all the computers at once
- Read secret files and customer information
It's like giving a malicious person the master key to every room in a hotel.
What Businesses Need to Do Right Now
If your business uses Fortinet FortiClient EMS:
- Check which version you have (ask your IT person or check the Help menu)
- If it's version 7.4.5 or 7.4.6, install the emergency update immediately [2]
- If it's version 7.2, you're safe from this specific problem (but still check for other updates)
- Make sure the EMS program isn't visible from the internet—it should only be reachable from inside your company's network
This is like changing the locks on your house as soon as you learn someone might have a copy of your key.
Why This Keeps Happening
Security software is like any other software—humans write it, and humans make mistakes. The difference is that when security software has mistakes, it's extra dangerous because it's supposed to be protecting you.
Good security companies:
- Find their own mistakes and fix them fast
- Pay researchers to find mistakes before bad guys do
- Release emergency updates when something is dangerous
Fortinet did the right thing by releasing this emergency update quickly. But businesses still need to actually install it.
The Lesson: Update Everything, Always
This is why businesses need to:
- Install updates quickly, especially for security software
- Have someone watching for security news (like lilMONSTER does for clients)
- Use more than one security tool—so if one fails, another protects you
- Test backups regularly—in case something goes wrong and you need to recover
Think of it like wearing both a seatbelt and driving carefully. You do both because one safety measure isn't enough.
FAQ
No. This requires advanced technical knowledge and special hacking tools. The people finding these vulnerabilities are professional security researchers or sophisticated attackers.
Probably not, unless your school uses Fortinet EMS specifically. But all organizations should keep their software updated.
They actually found a similar problem last week (CVE-2026-21643) on their own [3]. This new problem was found by independent security researchers who help make software safer by finding holes before bad guys do.
Emergency updates like this are tested carefully to make sure they fix the problem without causing new issues. However, it's always smart to back up important data before installing any update.
Ask your teacher or parent if they want to check. Businesses usually know what security software they use. You might also see "Fortinet" or "FortiClient" on your computer if you're at school.
References
[1] Shadowserver Foundation, "FortiClient EMS Exposure Statistics," X (formerly Twitter), April 4, 2026. [Online]. Available: https://x.com/Shadowserver/status/2040845567882928304
[2] Fortinet Documentation, "FortiClient 7.4.5 EMS Release Notes," April 2026. [Online]. Available: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484
[3] Help Net Security, "Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)," March 30, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/
[4] BleepingComputer, "New FortiClient EMS flaw exploited in attacks, emergency patch released," April 5, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
[5] Fortinet FortiGuard, "FG-IR-26-099: FortiClient EMS Improper Access Control Vulnerability," April 4, 2026. [Online]. Available: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
[6] Defused Cyber, "FortiClient EMS Zero-Day CVE-2026-35616 Discovery Post," X (formerly Twitter), April 4, 2026. [Online]. Available: https://x.com/DefusedCyber/status/2040315969159995847
[7] The Hacker News, "Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS," April 5, 2026. [Online]. Available: https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
[8] Fortinet Documentation, "FortiClient 7.4.6 EMS Release Notes," April 2026. [Online]. Available: https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484
Keeping your business safe doesn't have to be complicated. lilMONSTER watches for security problems like this and helps you fix them before bad guys strike. Learn how we protect businesses.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.