Summary
On 4 April 2026, Fortinet released a hotfix for a critical vulnerability in FortiClient EMS (CVE-2026-35616) that allows unauthenticated remote threat actors to execute unauthorised code or commands via crafted requests. The flaw stems from improper access control in the API authentication.
Fortinet has confirmed observing exploitation of CVE-2026-35616 in the wild. The vulnerability was responsibly disclosed by Defused, which had observed exploitation prior to Fortinet’s official disclosure. Details of the exploitation have not been disclosed publicly.
At the time of writing, Arctic Wolf has not identified a publicly available proof-of-concept exploit for CVE-2026-35616. Threat actors are likely to further target this vulnerability due to its critical impact and ease of remote exploitation.
CVE-2026-21643
Separately, Defused reported observing exploitation of another recently disclosed FortiClient EMS vulnerability (CVE-2026-21643) as early as March 24. This vulnerability was originally disclosed in February without observed exploitation, and Fortinet has since updated their advisory to reflect this activity.
Recommendation
Apply Hotfix
Arctic Wolf strongly recommends that customers apply the hotfix to mitigate CVE-2026-35616.
| Product | Affected Version | Fixed Versions |
| FortiClient EMS | 7.4.5 – 7.4.6 | · 7.4.5 (hotfix) |
Fortinet has stated that the upcoming FortiClient EMS 7.4.7 release will include a fix for CVE-2026-35616, and in the meantime, the provided hotfixes are sufficient to mitigate the vulnerability.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
