Vulnerability in FortiClient that enables privilege escalation has been tracked as CVE-2026-35616, in the latest Fortinet vulnerabilities discovered and affects FortiClient EMS versions 7.4.5 and 7.4.6, while the 7.2 branch remains unaffected.

How does the vulnerability works

• The vulnerability if exploited, can allow an unauthenticated attacker to execute code or commands through crafted requests. 
• Fortinet said in its updated security advisory, the network security vendor confirmed the flaw has been exploited in the wild.
• For customers using FortiClient EMS versions 7.4.5 and 7.4.6 it is important to install hotfix. “Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely,”
• Hotfix are often are implemented during software development phase and is live and it is during development phase core information on the bug and subsequently have enough documents and plans ready to address the bug issue in sandbox environment.
• Security researcher, Nguyen Duc Anh discovered the flaw and reported on the same .

Critical Zero-Day Exploitation Prompts Emergency Action

The vulnerability, tracked as CVE-2026-35616, affects the FortiClient Enterprise Management Server (EMS), a widely deployed system used by organizations to centrally manage endpoint security.

According to security researchers at Defused, the flaw enables a pre-authentication API access bypass, allowing attackers to completely circumvent login and authorization mechanisms. In practical terms, this means a remote attacker can gain control over vulnerable systems without needing valid credentials.

Active Exploitation in the Wild

Fortinet acknowledged that the vulnerability has already been exploited in real-world attacks, classifying it as a zero-day threat—a flaw that attackers begin exploiting before a patch is widely available.

The company attributed the issue to an “improper access control weakness” and released emergency hotfixes over the weekend for affected versions (7.4.5 and 7.4.6). A permanent fix is expected in the upcoming 7.4.7 release.

CISA Added CVE-2026-35616 to KEV catalog

CISA acted fast under the the legally binding Operational Directive 22-01 to add the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, a list reserved for security flaws actively used in cyberattacks.

Under the binding all Federal Civilian Executive Branch (FCEB) agencies must patch or mitigate the vulnerability by midnight on April 9.

Conclusion: 2,000 FortiClient EMS instances are currently exposed to the internet, significantly increasing the attack surface. While CISA’s directive applies specifically to federal agencies, the agency strongly advised private-sector organizations to treat the vulnerability with equal urgency.

This Fortinet vulnerability is a warning sign for both government and private organizations to strengthen their cyber defense.

SecDevOps from Intrucept

It is essential to be vigilant with vulnerabilities and this what SecDevOps does as we at Intrucept enable organizations to meet compliance requirements more effectively by automating security testing and monitoring, ensuring that any potential vulnerabilities are detected and addressed before the software is released.

Our team of experts focus on enabling organizations to develop a SecDevOps culture, which emphasizes the incorporation of security from the start, with compliance becoming a part of robust development practices.

Connect with us if you have any query at https://intruceptlabs.com/contact/ or email us at bq@intruceptlabs.com

Sources: https://cybersecuritynews.com/cisa-warns-fortinet-vulnerability/