Fortinet Emergency Patch: Actively Exploited FortiClient EMS Flaw Raises RCE Risk

Fortinet customers have a new priority patch on their hands after the company disclosed CVE-2026-35616, an improper access control vulnerability in FortiClient EMS. According to Fortinet, the bug affects versions 7.4.5 through 7.4.6 and can let an unauthenticated attacker execute unauthorized code or commands via crafted requests. Fortinet said it has observed exploitation in the wild and urged customers on vulnerable versions to install the emergency hotfixes.

The U.S. Cybersecurity and Infrastructure Security Agency has also treated the issue as a live threat. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, confirming active exploitation and signaling that defenders should treat this as more than a theoretical risk. The vulnerability carries a high impact profile in the NVD, with network-based attack vector, no privileges required, and high impact on confidentiality, integrity, and availability.

For defenders, the takeaway is simple: this is the kind of edge-to-management weakness that can quickly turn into a broader compromise if left exposed. Organizations using FortiClient EMS should verify version exposure immediately, apply the relevant hotfix, and review logs for suspicious pre-auth API activity. In a year already crowded with urgent patch alerts, Fortinet’s latest disclosure is another reminder that remote management and security tooling remain prime targets for attackers.