Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Second Critical FortiClient EMS Flaw in Weeks, Already Exploited

Fortinet has released emergency patches for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS with a CVSS score of 9.1. The flaw affects versions 7.4.5 through 7.4.6 and allows unauthenticated attackers to execute unauthorized code via crafted requests. Exploitation in the wild has been confirmed since March 31, 2026.

What Happened

Security researchers at Defused Cyber and watchTowr independently confirmed active exploitation. watchTowr recorded exploitation attempts against its honeypots starting March 31. The timing was deliberate: attackers ramped up over the Easter weekend, when security teams run at reduced capacity.

This is the second critical unauthenticated vulnerability in FortiClient EMS within weeks. CVE-2026-21643, also scoring CVSS 9.1, came under active exploitation just days before this new flaw surfaced. Whether the same threat actor is behind both remains unknown.

CISA Added It to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, giving federal agencies until April 9 to patch. A hotfix is available now, with a full fix expected in FortiClient EMS 7.4.7.

WAFplanet Take

Two critical unauthenticated RCE-class bugs in the same product within weeks is not a good look for Fortinet. FortiClient EMS is endpoint management software, not a WAF, but it sits in the same security stack that many organizations pair with FortiWeb. The pattern here matters: attackers are specifically targeting security vendor products because those products have privileged network positions. If your security tools themselves become the entry point, the rest of your stack, whether that is FortiWeb, F5, or Imperva, cannot save you. Patch immediately. Do not wait until Tuesday.