Fortinet released emergency fixes for a critical zero-day vulnerability affecting its FortiClient Enterprise Management Server (EMS) on April 5, warning that attackers have already exploited the flaw in real-world attacks.
Tracked as CVE-2026-35616, the issue carries a CVSS score of 9.1 and is caused by improper access control.
According to Fortinet’s advisory, the vulnerability allows unauthenticated attackers to send specially crafted requests to exposed systems and execute remote code without the need for valid credentials.
“A compromised FortiClient EMS allows attackers to push malicious payloads to the entire managed fleet, turning a single exploit into a total enterprise breach,” Jacob Warner, Director of IT at Xcape told Expert Insights. “If your management console is still reachable from the public Internet, you are essentially crowdsourcing your admin privileges.”
Fortinet issued hotfixes for versions 7.4.5 and 7.4.6, noting that version 7.2 is not impacted. A permanent fix is expected in the upcoming 7.4.7 release. The status of version 8.0 is currently unknown.
Widespread Exposure Raises Risk for Internet-Facing Systems
Security researchers warned that the attack surface is significant. The Shadowserver Foundation said on April 5 in an X post that approximately 2,000 FortiClient EMS instances are currently accessible from the internet, making them susceptible to exploitation. The majority of these exposed instances are located across the US and Germany.
“Which brings us to the only practical strategy left,” Denis Calderone, CTO at Suzu Labs, told Expert Insights, “which is to stop exposing the management server UIs and APIs to the internet. The EMS admin interface is what’s being targeted here. If it’s reachable, you’re at risk.”
The vulnerability was discovered and responsibly disclosed by Simo Kohonen of Defused Cyber and independent researcher Nguyen Duc Anh, who identified it as a pre-authentication API bypass. This enabled attackers to circumvent authentication and authorization measures entirely.
CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, mandating federal agencies to apply patches by April 9.
For security leaders, the incident is a reminder that management consoles exposed to the internet represent a category of risk that patch management alone can’t solve. The attack surface for tools like FortiClient EMS exists by design if the interface is reachable. Removing that exposure (not just patching it) is the durable fix.
