Emergency hotfix issued for FortiClient EMS after active exploitation of CVE-2026-35616

FortiClient EMS is the management brain for Fortinet’s endpoint fleet. It pushes policies, software, and access settings to laptops and desktops. So when Fortinet says attackers are actively exploiting a bug in that console, this is not a routine patch note — it is a warning that the control plane itself is in play. (fortiguard.fortinet.com) That is what changed on April 4, when Fortinet published an emergency fix for CVE-2026-35616 and told customers running EMS 7.4.5 or 7.4.6 to install it right away. (filestore.fortinet.com) ### What is FortiClient EMS? It is the central server admins use to manage FortiClient on employee devices — endpoint protection, VPN settings, ZTNA rules, and compliance checks all flow through it. If that server is compromised, an attacker is not just landing on one machine. (cisa.gov) They are landing on the system that can reach a lot of machines. ### What is the bug, exactly? CVE-2026-35616 is an improper access control flaw. In plain English, the server fails to enforce the checks that should stop outsiders from doing privileged things. Fortinet says an unauthenticated attacker can send crafted requests and execute unauthorized code or commands. NVD scores it 9.1 out of 10 — critical. (fortiguard.fortinet.com) ### Why is “unauthenticated” the scary word? Because it means the attacker does not need valid credentials first. No stolen password. No foothold from phishing. If the EMS console is reachable and vulnerable, the bug itself can be the front door. That is why these flaws move so fast in the real world — they are easy to automate and easy to scan for. The Register said exploitation may have started by March 31, days before the public fix landed. (docs.fortinet.com) ### Which versions are affected? Fortinet’s advisory is unusually narrow but urgent. The affected range is FortiClient EMS 7.4.5 through 7.4.6. Fortinet also says 7.2 is not affected, and that the upcoming 7.4.7 release will include the permanent fix. Until then, customers on 7.4.5 and 7.4.6 are supposed to apply the hotfix package manually. (fortiguard.fortinet.com) ### Why a hotfix instead of a normal release? Basically, speed. A hotfix lets Fortinet swap in only the binaries needed to close the hole, without waiting for the next full build. That reduces time-to-patch, which matters when exploitation is already happening. Fortinet’s own documentation frames hotfixes as a way to handle urgent issues while lowering the risk of wider side effects. (theregister.com) ### How serious is the government response? Serious enough that CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog on April 6. That list is the federal government’s short stack of bugs that are not theoretical anymore. Once a flaw lands there, federal civilian agencies have to patch by the deadline CISA sets, and everyone else gets a pretty clear signal that attackers are already using it. (filestore.fortinet.com) ### What should defenders do right now? Patch first. Then check whether the EMS server is internet-exposed, review logs around late March and early April, and look for suspicious requests or unexpected command execution on the console. The catch is that EMS is a high-trust system — if it was compromised, downstream endpoints and policy changes may need review too. (docs.fortinet.com) That is the real risk here. ### Bottom line This is the bad version of a management-server bug — critical severity, no auth required, and active exploitation before most customers had a fix. If you run FortiClient EMS 7.4.5 or 7.4.6, this is an emergency patch, not a maintenance chore. (fortiguard.fortinet.com) (cisa.gov)