Hackers have been exploiting a critical vulnerability in FortiClient Endpoint Management Server (FortiClient EMS) since at least the end of March. Fortinet has published an advisory and released an emergency hotfix that can be applied to affected deployments until a patched version can be released.
The vulnerability, now tracked as CVE-2026-35616, allows unauthenticated attackers to remotely execute arbitrary code on FortiClient EMS, which organizations use to manage, monitor, provision, patch, quarantine, and monitor endpoint systems. The flaw is rated 9.1 (critical) in the Common Vulnerability Scoring System and was added by the US Cybersecurity and Infrastructure Security Agency (CISA) to its Know Exploited Vulnerabilities catalog on Monday.
The vulnerability affects FortiClient EMS 7.4.5 and 7.4.6. The company plans to patch the vulnerability in upcoming version 7.4.7. In the meantime, a hotfix can be applied to the EMS Linux Server via the command line. The issue has been patched server-side on FortiClient Cloud and FortiSASE, so only on-premises deployments are impacted.
Researchers from security firm watchTowr first saw exploitation of this vulnerability on March 31, days before Fortinet released its advisory and hotfix. Due to this zero-day status, users should check deployments for possible compromise, in addition to applying the patch.
“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” watchTowr CEO Benjamin Harris told CSO. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”
Second FortiClient EMS RCE this year
This zero-day incident comes after Fortinet patched a different flaw in FortiClient EMS in February that attackers also began exploiting in the wild. That vulnerability, tracked as CVE-2026-21643, was an SQL injection flaw that allowed unauthenticated attackers to execute arbitrary commands.
The new vulnerability is an authentication bypass issue that stems from improper access control in the FortiClient EMS API. It allows attackers to execute code on the underlying server without valid credentials or user interaction.
“The two vulnerabilities have not been confirmed as linked, and attribution to a specific threat actor has not been established,” the watchTowr researchers said.
Mitigation and response
In addition to the hotfix, organizations should review their available logs for any suspicious API requests and activity. Unfortunately, there are no published indicators of compromise for this malicious activity yet, so watchTowr recommends auditing all recent changes made to endpoint security policies, VPN configuration profiles, application firewall rules, administrator accounts and access controls, and endpoint compliance configurations.
“If compromise is suspected, do not attempt to clean the affected instance in place,” the researchers said. “Restore from a known-good backup taken before the likely compromise window, or rebuild the EMS instance and migrate the data to it. Where integrity cannot be confidently verified, a full rebuild is the most defensible approach.”