Summary
On April 4, 2026, Fortinet a hotfix for a critical vulnerability in FortiClient EMS (CVE-2026-35616) that allows unauthenticated remote threat actors to execute unauthorized code or commands via crafted requests. The flaw stems from improper access control in the API authentication.
Fortinet has confirmed observing exploitation of CVE-2026-35616 in the wild. The vulnerability was responsibly disclosed by Defused, which had . Details of the exploitation have not been disclosed publicly.
At the time of writing, Arctic Wolf has not identified a publicly available proof-of-concept exploit for CVE-2026-35616. Threat actors are likely to further target this vulnerability due to its critical impact and ease of remote exploitation.
CVE-2026-21643
Separately, Defused observing exploitation of another recently disclosed FortiClient EMS vulnerability (CVE-2026-21643) as early as March 24. This vulnerability was originally disclosed in February without observed exploitation, and Fortinet has since updated their advisory to reflect this activity.
Recommendation
Apply Hotfix
Arctic Wolf strongly recommends that customers apply the hotfix to mitigate CVE-2026-35616.
| Product | Affected Version | Fixed Versions |
| FortiClient EMS | 7.4.5 – 7.4.6 | ¡¤??????
¡¤?????? |
Fortinet has stated that the upcoming FortiClient EMS 7.4.7 release will include a fix for CVE-2026-35616, and in the meantime, the provided hotfixes are sufficient to mitigate the vulnerability.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
