Attackers exploited this critical FortiClient EMS bug as a 0-day

Emergency patch and the flaw

Fortinet pushed an out-of-band hotfix after it has been reported that attackers were exploiting a critical FortiClient Enterprise Management Server (EMS) bug, tracked as CVE-2026-35616. The vulnerability is an improper access control error that can let unauthenticated actors run unauthorized code or commands; it carries a 9.1 CVSS score. Fortinet urged customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 and, it has been reported that, warned the flaw had been observed in the wild.

Federal urgency and vendor silence

The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) Catalog and ordered a quick patch cycle for federal agencies. Who exactly got hit? Fortinet declined to say how many customers were affected, telling reporters only that its PSIRT response and remediation efforts are ongoing and that it is communicating directly with customers.

Scale and the attackers

There are hints and hard data. WatchTowr’s honeypots allegedly first captured exploitation attempts on March 31, and its researchers say the initial activity was “low and slow” before turning noisier — the classic zero-day life cycle. VulnCheck’s Caitlin Condon noted that FortiClient EMS has a relatively small internet footprint; her team found roughly 100 internet-exposed instances. In the past, government-backed groups have allegedly targeted EMS deployments — a reminder that these tools are juicy targets.

What to do now

Patching is the point of the story. CISA’s KEV listing and the high CVSS score make the fix urgent for any organization using FortiClient EMS. As one researcher put it: the best time to apply the hotfix was yesterday; the second best time is right now.

Sources: The Register