Fortinet has released an urgent fix after security experts disclosed a zero-day flaw in FortiClient EMS that is being used by hackers. CVE-2026-35616 is an Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Successful attacks do not need any login, user action, or special access. This makes them very risky for organizations with EMS systems open to the internet.
Fortinet’s advisroy (FG-IR-26-099) said the main problem is privilege escalation, and the vendor has confirmed it is being exploited in the wild.
Fortinet FortiClient EMS 0-Day
Only FortiClient EMS versions 7.4.5 and 7.4.6 are impacted. FortiClient EMS 7.2.x is fine and does not need any action. The next FortiClient EMS 7.4.7 will have a permanent fix, but Fortinet has provided emergency hotfixes right away for both affected versions while the new release is being completed.
Simo Kohonen from the threat intelligence company Defused and independent researcher Nguyen Duc Anh found the vulnerability.
Defused observed active in-the-wild exploitation of the flaw earlier this week before reporting it to Fortinet under responsible disclosure protocols. The discovery was made using Defused’s upcoming Radar feature, set to launch next week, which is designed to surface novel exploitation activity in real time.

Fortinet acted quickly after getting the report. They shared their advisory and launched the emergency hotfix on April 4, 2026, the same day they published it.
Fortinet asks all customers with the affected versions to quickly install the emergency hotfix. You can find detailed steps in the official FortiClient EMS release notes for each version.
Organizations need to check their EMS logs for strange API activity, especially for unauthenticated requests that could show past exploitation attempts.
Limiting outside access to the EMS management interface at the network edge helps improve security while patches are being applied.
InfoSecBulletin Cybersecurity for mankind
