Fortinet has released out-of-band security updates to address a critical vulnerability in its FortiClient Endpoint Management Server (EMS) that is already being actively exploited in the wild.
The vulnerability, tracked as CVE-2026-35616, is described as a missing authorization issue that can lead to code execution. The flaw exists due to missing authorization checks. A remote non-authenticated attacker can send a specially crafted HTTP request to certain API endpoint and execute arbitrary commands on the system.
“An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests,” the company said in an advisory.
The vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6. While a permanent fix is expected in the upcoming 7.4.7 release, Fortinet has issued a hotfix to mitigate the risk in affected versions.
Defused Cyber noted in a post on X that it observed zero-day exploitation activity. Security firm watchTowr has also reported exploitation attempts.
Fortinet has confirmed that the vulnerability is being actively exploited and is urging all affected customers to apply the available hotfix as soon as possible to reduce the risk of compromise.