Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
هذه هي الترجمة لنص المدونة إلى الدارجة المغربية (Darija) مع الحفاظ على بنية Markdown:
Fortinet Issues Emergency Patch for Critical FortiClient EMS Zero-Day (CVE-2026-35616)
TL;DR
Fortinet has released an out-of-band hotfix for CVE-2026-35616, a critical pre-authentication API access bypass vulnerability in FortiClient EMS. With a CVSS score of 9.1, the flaw allows unauthenticated attackers to execute unauthorized code. Active exploitation has been confirmed, and administrators are urged to apply the hotfix immediately.
Fortinet has issued an emergency advisory and out-of-band patches following the discovery of a critical security flaw in its FortiClient Endpoint Management Server (EMS). The vulnerability, tracked as CVE-2026-35616, is already being exploited in the wild as a zero-day.
Anatomy of the Vulnerability
The flaw is categorized as an improper access control vulnerability (CWE-284) with a critical CVSS score of 9.1.
According to Fortinet, the issue stems from a pre-authentication API access bypass. If exploited, an unauthenticated attacker can sidestep standard authentication and authorization protections. By sending specifically crafted requests to the affected system, an attacker can achieve privilege escalation and execute unauthorized code or commands.
Affected Versions and Remediation
The vulnerability impacts the following versions of FortiClient EMS:
- FortiClient EMS 7.4.5
- FortiClient EMS 7.4.6
While Fortinet plans to release a permanent fix in version 7.4.7, the company has released an immediate hotfix for versions 7.4.5 and 7.4.6 due to the active threat. Organizations are urged to treat this as an emergency response situation and apply the hotfix without delay.
Active Exploitation and Timeline
The discovery and reporting of the flaw are credited to Simo Kohonen of Defused Cyber and Nguyen Duc Anh.
The timeline of the exploitation suggests a highly coordinated effort by threat actors:
- March 31, 2026: Cybersecurity firm watchTowr recorded the first exploitation attempts against its honeypots.
- Earlier this week: Defused Cyber reported observing zero-day exploitation of the flaw.
- The Weekend Factor: Benjamin Harris, CEO of watchTowr, noted that the timing of the surge in exploitation likely coincides with the Easter holiday weekend. Attackers frequently target these windows when security teams may be understaffed or distracted.
A Troubling Pattern
This disclosure follows closely on the heels of another critical vulnerability in FortiClient EMS, CVE-2026-21643 (also CVSS 9.1), which was recently patched and also saw active exploitation.
At this time, it is not confirmed if the same threat actor is responsible for both vulnerabilities or if the flaws are being weaponized together in a single attack chain. However, the rapid succession of two unauthenticated vulnerabilities in the same product has raised significant concerns within the security community.
Conclusion
With attackers already having a "head start," the window for remediation is narrow. Organizations running exposed FortiClient EMS instances should not wait for the standard patch cycle and must apply the available hotfixes immediately to prevent unauthorized command execution and potential network compromise.
Source: The Hacker News - Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
