Fortinet has urgently released patches to address a critical security vulnerability, identified as CVE-2026-35616, within its FortiClient Enterprise Management Server (EMS). This flaw, carrying a CVSS score of 9.1, has been actively exploited in the wild, posing significant risks to organizations utilizing affected versions of FortiClient EMS.
Understanding CVE-2026-35616
CVE-2026-35616 is characterized as an improper access control vulnerability (CWE-284) within FortiClient EMS. This flaw enables unauthenticated attackers to bypass API authentication mechanisms, allowing them to execute unauthorized code or commands through specially crafted requests. The vulnerability specifically impacts FortiClient EMS versions 7.4.5 and 7.4.6.
Discovery and Active Exploitation
The vulnerability was brought to light by security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh. Defused Cyber reported observing zero-day exploitation of CVE-2026-35616, with initial exploitation attempts recorded on March 31, 2026. These incidents underscore the critical nature of the flaw and the urgency for immediate remediation.
Fortinet’s Response and Mitigation Measures
In response to the active exploitation, Fortinet has released an out-of-band hotfix to address the vulnerability in the affected versions. The company has also announced that a comprehensive fix will be included in the upcoming FortiClient EMS version 7.4.7. Fortinet strongly advises all users of FortiClient EMS versions 7.4.5 and 7.4.6 to apply the hotfix without delay to mitigate potential security risks.
Implications for Organizations
The exploitation of CVE-2026-35616 highlights the persistent targeting of Fortinet products by threat actors. This incident follows closely on the heels of another critical vulnerability, CVE-2026-21643, which was also actively exploited. The recurrence of such vulnerabilities emphasizes the necessity for organizations to maintain vigilant patch management practices and to promptly address security advisories issued by Fortinet.
Recommendations for FortiClient EMS Users
To safeguard against potential exploits, organizations utilizing FortiClient EMS should:
1. Apply the Hotfix Immediately: Install the hotfix provided by Fortinet for versions 7.4.5 and 7.4.6 to address CVE-2026-35616.
2. Update to the Latest Version: Plan to upgrade to FortiClient EMS version 7.4.7 upon its release for a comprehensive fix.
3. Monitor for Unauthorized Activity: Regularly review system logs and network activity for signs of unauthorized access or unusual behavior.
4. Restrict Administrative Access: Implement strict access controls to limit administrative privileges to trusted personnel and IP addresses.
5. Stay Informed: Keep abreast of Fortinet’s security advisories and apply recommended updates promptly.
Conclusion
The active exploitation of CVE-2026-35616 serves as a stark reminder of the evolving threat landscape and the importance of proactive cybersecurity measures. Organizations must prioritize the application of security patches and maintain robust monitoring to protect their systems from unauthorized access and potential breaches.
