Fortinet customers have been urged to update their FortiClient Enterprise Management Server (EMS) products after the vendor was forced to issue an emergency patch over the weekend.<\/p>\n
CVE-2026-35616 is a critical (CVSS 9.1) improper access control vulnerability which could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.<\/p>\n
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the vendor said<\/a>. “Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely.”<\/p>\n Read more on Fortinet vulnerabilities: Fortinet Warns Exploit Code Available for Critical Vulnerability<\/a><\/em><\/p>\n Cybersecurity vendor Defused explained that it had seen the vulnerability being exploited in zero-day attacks earlier last week and notified Fortinet accordingly.<\/p>\n “The vulnerability allows an unauthenticated attacker to bypass API authentication and authorization entirely, unauthorized code or commands via crafted requests,” Defused said in a social media post.<\/p>\n Defused also discovered another critical vulnerability in the FortiClient EMS platform last week, also being exploited in the wild.<\/p>\n CVE-2026-21643<\/a> is an SQL injection flaw with a CVSS score of 9.8 which could allow unauthenticated attackers to execute unauthorized code via specifically crafted HTTP requests.<\/p>\n By hijacking organizations’ endpoint management infrastructure, threat actors could push malicious updates to endpoints and launch deeper attacks into cloud systems, for possible espionage and ransomware.<\/p>\n For that specific vulnerability, customers were urged to upgrade to version 7.4.5<\/a> or later, or at least disconnect the administrative web interface from the internet. Indicators of compromise (IoCs) included HTTP 500 errors on the \/api\/v1\/init_consts endpoint; unusual database error messages in PostgreSQL logs; and unauthorized remote monitoring and management tools.<\/p>\n Endpoint management solutions are a popular target for threat actors given the access they provide to company device fleets. This can be weaponized in ransomware, cyber espionage or destructive attacks.<\/p>\nSecond Critical Flaw in a Week<\/strong><\/h2>\n