**Fortinet** has released critical patches to address a security flaw in **FortiClient EMS** that is already being exploited. ### CVE-2026-35616: Pre-Authentication API Access Bypass The vulnerability, designated **CVE-2026-35616** (CVSS score: 9.1), is a pre-authentication API access bypass that could lead to privilege escalation. According to **Fortinet**'s advisory, this improper access control vulnerability ([CWE-284](https://cwe.mitre.org/data/definitions/284.html)) may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. ### Affected Versions and Mitigation The issue affects **FortiClient EMS** versions 7.4.5 through 7.4.6. While a full patch is expected in version 7.4.7, a hotfix has already been released to address the vulnerability. Users are strongly advised to apply the hotfix immediately. ### Discovery and Exploitation Timeline **Simo Kohonen** from **Defused Cyber** and **Nguyen Duc Anh** are credited with discovering and reporting the vulnerability. **Defused Cyber** noted zero-day exploitation of **CVE-2026-35616** earlier this week on X. According to **watchTowr**, exploitation attempts were first recorded against its honeypots on March 31, 2026. ### Potential Impact Successful exploitation of this flaw allows an unauthenticated attacker to circumvent API authentication and authorization, enabling the execution of malicious code or commands through crafted requests. **Fortinet** urges all vulnerable customers to install the hotfix for **FortiClient EMS** 7.4.5 and 7.4.6 immediately, as the company has observed active exploitation in the wild. ### Context: Another Recent FortiClient EMS Vulnerability This development follows the recent patching and subsequent active exploitation of another critical vulnerability in **FortiClient EMS** (**CVE-2026-21643**, CVSS score: 9.1). It is currently unknown if the same threat actor is behind the exploitation of both vulnerabilities or if they are being weaponized together. ### Recommendations Given the severity of these vulnerabilities, users are advised to update their **FortiClient EMS** installations to the latest version as soon as possible. **Benjamin Harris**, CEO and founder of **watchTowr**, emphasized the urgency, stating, "The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental." He added, "Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity." "What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in **FortiClient EMS** in a matter of weeks." "So, once again, organizations running **FortiClient EMS** and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start."