A critical zero-day vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) was already being weaponized by attackers when researchers spotted it — and Fortinet had just one day to publish an advisory and emergency hotfix before the story went public.
Tracked as CVE-2026-35616 with a CVSSv3 score of 9.1, the flaw lives in the API layer of FortiClient EMS and allows unauthenticated attackers to completely bypass the server's access controls.
In practical terms: no login, no privileges, no user interaction required — just a crafted API request, and an attacker has arbitrary code execution on a system designed to manage endpoint security across an entire organization.
The vulnerability is classified as CWE-284 (Improper Access Control), meaning the software simply fails to enforce who is allowed to do what through its API. The attack vector is network-based with low complexity, which is exactly the kind of profile that draws automated exploitation at scale.
What makes this disclosure unusual is how it was caught. Simo Kohonen of threat intelligence firm Defused and independent researcher Nguyen Duc Anh identified live exploitation of the flaw using Defused's forthcoming "Radar" feature — a real-time surface for novel exploitation activity that's slated to launch next week. The researchers spotted attackers using the bug in the wild before they even reported it, then followed responsible disclosure protocols to bring it to Fortinet.
Fortinet confirmed the active exploitation in its advisory (FG-IR-26-099) published April 4, 2026, the same day it released emergency hotfixes for both affected versions.
Only FortiClient EMS 7.4.5 and 7.4.6 are vulnerable. Version 7.2.x is entirely unaffected. A permanent fix is coming in 7.4.7, but Fortinet says the hotfixes available now fully mitigate the issue in the meantime.
For organizations running either affected build, applying the hotfix immediately is non-negotiable — EMS sits at the heart of endpoint fleet management, and full compromise of it hands attackers the keys to every managed device. Administrators should also audit EMS API logs for anomalous unauthenticated requests that may signal prior exploitation, and restrict external network access to the EMS management interface wherever feasible.
Installation instructions are available through Fortinet's documentation portal for both the 7.4.5 and 7.4.6 release notes.