Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that has been exploited in the wild since March 31, 2026. The vulnerability, tracked as CVE-2026-35616 with a CVSS score of 9.1, enables unauthenticated remote code execution through a pre-authentication API access bypass leading to privilege escalation. Security researchers observed zero-day exploitation earlier this week, with exploitation attempts first recorded on March 31. The flaw allows attackers to execute unauthorized code or commands via crafted requests without any authentication requirements.
CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by April 9, 2026. The vulnerability affects FortiClient EMS versions 7.4.5 through 7.4.6, with over 2,000 publicly accessible instances identified worldwide. Fortinet has released emergency hotfixes over the weekend and plans a full patch in version 7.4.7.
The timing of the exploit coincided with the Easter holiday weekend, demonstrating attackers' preference for targeting systems when security teams are at reduced capacity. This follows another critical FortiClient EMS vulnerability (CVE-2026-21643) that was also actively exploited just weeks earlier.
