Attackers exploited this critical FortiClient EMS bug as a 0-day

Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31.

The flaw, tracked as CVE-2026-35616, is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. It earned a critical 9.1 CVSS rating, and in addition to urging customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, the firewall vendor also warned that it has "observed this to be exploited in the wild."

This product allows companies to centrally manage and secure both remote and office computers, and this bug is the second critical FortiClient flaw to come under attack in the past few weeks. In late March, security researchers warned that CVE-2026-21643, which also leads to unauthenticated remote code execution, was being actively exploited in the wild ...