Attackers exploited this critical FortiClient EMS bug as a 0-day
Summary
Fortinet pushed an emergency hotfix after attackers exploited a critical vulnerability in FortiClient Enterprise Management Server (EMS). Tracked as CVE-2026-35616, the flaw is an improper access control issue that allows unauthenticated actors to execute unauthorised code or commands via crafted requests. The bug carries a 9.1 CVSS score and was observed in the wild as early as 31 March. Fortinet advised customers to install the patch for EMS versions 7.4.5 and 7.4.6; CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue and ordered federal agencies to patch by Thursday.
Key Points
- CVE-2026-35616 is an improper access control vulnerability in FortiClient EMS allowing unauthenticated remote code/command execution.
- The issue was assigned a critical 9.1 CVSS rating and Fortinet released an emergency hotfix for EMS 7.4.5 and 7.4.6.
- Exploitation was first seen around 31 March; watchdogs and honeypots captured early, “low and slow” attacks that later became more opportunistic.
- CISA added the flaw to its KEV catalogue and set a patching deadline for federal agencies, signalling high operational risk.
- Fortinet confirmed in-the-wild exploitation but gave limited details on affected customers; the vendor is communicating remediation directly to clients.
- There was a recent related FortiClient RCE (CVE-2026-21643) also being actively exploited, showing repeated targeting of FortiClient EMS.
- Researchers note FortiClient EMS has a relatively small internet-facing footprint (roughly 100 exposed instances), which reduces broad exposure but does not eliminate risk.
Context and relevance
This is a high-impact security story for organisations that use FortiClient EMS to centrally manage endpoints. The combination of an unauthenticated RCE bug, observed exploitation in the wild, and CISA’s inclusion in the KEV catalogue makes this a timely operational priority. It also illustrates an ongoing pattern: attackers are actively targeting Fortinet management products, and quick patching is essential because exploit activity often escalates from targeted to indiscriminate once a zero-day is announced or leaks.
Why should I read this?
Short version: if you run FortiClient EMS, stop what you’re doing and patch it. This one’s nasty — unauthenticated RCE and evidence it’s already being used in real attacks. Even if you don’t use FortiClient EMS directly, it’s worth skimming because it shows how quickly zero-days go from quiet surveillance to loud, scattergun attacks. We’ve done the digging so you don’t have to.