Critical Fortinet FortiClient EMS 0-Day Actively Exploited via CVE-2023-48788
Key Takeaways A critical zero-day vulnerability (CVE-2026-35616) in Fortinet FortiClient EMS is under active exploitation. The flaw allows unauthenticated attackers to bypass API authentication,...
Key Takeaways
- A critical zero-day vulnerability (CVE-2026-35616) in Fortinet FortiClient EMS is under active exploitation.
- The flaw allows unauthenticated attackers to bypass API authentication, leading to arbitrary code execution.
- FortiClient EMS versions 7.4.5 and 7.4.6 are affected; emergency hotfixes are available.
- The vulnerability carries a CVSSv3 score of 9.1 (Critical).
Fortinet has rapidly deployed an emergency hotfix to address a critical zero-day vulnerability within its FortiClient EMS product. This flaw, which allows unauthenticated attackers to bypass API security controls, is already being actively exploited in the wild, prompting an urgent call for users to patch their systems.
Table Of Content
Critical Zero-Day Under Active Exploitation
Designated as CVE-2026-35616, this critical vulnerability boasts a CVSSv3 score of 9.1, indicating its severe impact. The weakness allows threat actors to completely circumvent API authentication and authorization mechanisms in the FortiClient Endpoint Management Server (EMS), enabling them to execute arbitrary commands or code on vulnerable systems.
The vulnerability, categorized as CWE-284 (Improper Access Control), specifically affects the API layer of the FortiClient EMS. Its dangerous nature stems from the fact that successful exploitation requires no prior authentication, user interaction, or elevated privileges, posing a significant risk to organizations with internet-facing EMS deployments.
An attacker can leverage specially crafted API requests to bypass all security checks, thereby gaining full control over endpoint management operations. The attack vector is network-based and low in complexity. The potential impact spans confidentiality, integrity, and availability, directly contributing to its near-maximum CVSS rating.
According to Fortinet’s advisory (FG-IR-26-099), the primary consequence of this vulnerability is privilege escalation, with the vendor confirming active exploitation.
Affected Versions and Discovery
Only FortiClient EMS versions 7.4.5 and 7.4.6 are susceptible to this vulnerability. FortiClient EMS 7.2.x is not affected and does not require immediate action related to this specific CVE. While a permanent fix will be integrated into the upcoming FortiClient EMS 7.4.7 release, Fortinet has made emergency hotfixes immediately available for the currently affected branches.
The vulnerability was independently discovered by Simo Kohonen from the threat intelligence firm Defused and researcher Nguyen Duc Anh. Defused identified active in-the-wild exploitation earlier this week and promptly reported it to Fortinet through responsible disclosure protocols. This discovery was facilitated by Defused’s forthcoming Radar feature, which aims to detect novel exploitation activities in real-time.
New Fortinet vulnerability being exploited as an 0-day
CVE-2026-35616 – FortiClient EMS pre-authentication API access bypass – CVSS 9.1 Critical
After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under… pic.twitter.com/GUk5fCAx91
— Defused (@DefusedCyber) April 4, 2026
Fortinet responded swiftly to the report, publishing its advisory and releasing the emergency hotfix on April 4, 2026, the very same day the vulnerability was initially reported.
What You Should Do
- Apply Hotfixes Immediately: Fortinet strongly advises all customers running affected FortiClient EMS versions (7.4.5 and 7.4.6) to apply the emergency hotfixes without delay. Refer to the official release notes for detailed installation instructions:
- For FortiClient EMS 7.4.5, consult the 7.4.5 EMS release notes on the Fortinet documentation portal.
- For FortiClient EMS 7.4.6, consult the 7.4.6 EMS release notes on the Fortinet documentation portal.
- Monitor Logs: Organizations should actively monitor their EMS logs for any unusual API activity, especially unauthenticated requests, which could signal attempted or successful exploitation.
- Restrict External Access: Where feasible, limit external access to the EMS management interface at the network perimeter. This adds a crucial layer of defense until patches are fully deployed across the environment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



New Fortinet vulnerability being exploited as an 0-day
No Comment! Be the first one.