Visualização normal

Antes de ontemStream principal

U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

✇Security Affairs
Por:Pierluigi Paganini
7 de Abril de 2026, 05:59

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.

A few hours ago, Defused researchers warned that attackers are exploiting the FortiClient zero-day. No public POC exists yet; however, this exploit has roughly the same structure as the observed zero-day exploit. Experts recommend watching for traffic from unknown IPs showing X-SSL-CLIENT-VERIFY: SUCCESS.

🚨 We are now observing further exploitation of the recent FortiClient zero-day (CVE-2026-35616)

No public POC exists to date, and this exploit has roughly the same structure as the observed zero-day exploit.

To identify potential compromise, defenders should look for… pic.twitter.com/hxEVre8bnf

— Defused (@DefusedCyber) April 6, 2026

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

  • ✇Firewall Daily – The Cyber Express
  • FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE Ashish Khaitan
    A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited. The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers.  One of the vulnerabilities, CVE-2026-21643, stems fro
     
  • ↗️

FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE

✇Firewall Daily – The Cyber Express
Por:Ashish Khaitan
7 de Abril de 2026, 03:26

FortiClientEMS

A newly disclosed set of vulnerabilities affecting Fortinet’s endpoint management platform has raised serious concerns among cybersecurity professionals, particularly as both flaws are already being actively exploited. The issues, tracked as CVE-2026-35616 and CVE-2026-21643, impact FortiClientEMS and expose systems to unauthenticated remote code execution (RCE), with attackers requiring no prior access to compromise affected servers.  One of the vulnerabilities, CVE-2026-21643, stems from an improper neutralization of special elements in SQL commands, commonly referred to as a SQL Injection flaw (CWE-89). This weakness exists within the administrative interface of FortiClientEMS, allowing unauthenticated attackers to send specially crafted HTTP requests and execute unauthorized code or commands. 

Critical SQL Injection Flaw in FortiClientEMS (CVE-2026-21643) 

Security researchers have confirmed that this SQL Injection issue is not just theoretical. It has already been observed being exploited in real-world attacks, increasing the urgency for mitigation. Because the flaw does not require authentication, attackers can directly target exposed systems, making it a particularly dangerous entry point.  In terms of affected versions, FortiClientEMS 7.4.4 is vulnerable and requires an upgrade to version 7.4.5 or later. Versions 8.0 and 7.2 are not affected by this issue. The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet’s Product Security team. The initial advisory was published on February 6, 2026, with a subsequent clarification removing FortiEMS Cloud from the affected products list. 

Improper Access Control Vulnerability (CVE-2026-35616) 

The second major flaw, CVE-2026-35616, involves improper access control (CWE-284) in FortiClientEMS. This vulnerability enables attackers to bypass API authentication and authorization mechanisms, again allowing unauthenticated execution of arbitrary code or commands through crafted requests.  Like the SQL Injection flaw, CVE-2026-35616 has also been confirmed to be actively exploited in the wild. The potential impact is severe, as successful exploitation could lead to a complete compromise of the FortiClientEMS server.  The vulnerability was officially published on April 4, 2026, and later added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) Catalog on April 6, 2026. CISA noted that such vulnerabilities are frequently used by malicious actors and pose significant risks, particularly to federal enterprise environments. 

Government and Industry Response 

The Cyber Security Agency of Singapore (CSA) issued an alert on April 6, 2026, warning of the active exploitation of CVE-2026-35616 in FortiClientEMS deployments. The advisory noted the critical nature of the vulnerability and urged organizations to take immediate action.  According to the alert, “successful exploitation of this vulnerability could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests, potentially resulting in a full compromise of the FortiClient EMS server.” The agency also reiterated that exploitation activity has already been observed in the wild. 

Affected Versions and Mitigation Steps 

The improper access control vulnerability CVE-2026-35616 affects FortiClientEMS versions 7.4.5 through 7.4.6. Organizations using these versions are advised to apply the available hotfix immediately and upgrade to version 7.4.7 or later once it becomes available.  Fortinet has provided specific guidance for applying fixes through its official release notes for versions 7.4.5 and 7.4.6. The company has indicated that the upcoming FortiClientEMS 7.4.7 release will include a permanent fix, while the currently available hotfix is sufficient to fully mitigate the issue in the interim.  For CVE-2026-21643, upgrading from version 7.4.4 to 7.4.5 or above resolves the SQL Injection vulnerability. 

New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems

✇Security | TechRepublic
Por:Ken Underhill
6 de Abril de 2026, 12:35

Fortinet warns of a critical FortiClient EMS zero-day vulnerability that is currently being exploited, allowing attackers to bypass authentication and execute commands.

The post New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems appeared first on TechRepublic.

  • ✇Security Affairs
  • CVE-2026-35616: Fortinet fixes actively exploited high-severity flaw Pierluigi Paganini
    Fortinet issued emergency patches for a critical FortiClient EMS flaw (CVE-2026-35616) actively exploited in the wild. Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems. “An Improper Access
     
  • ↗️

CVE-2026-35616: Fortinet fixes actively exploited high-severity flaw

✇Security Affairs
Por:Pierluigi Paganini
6 de Abril de 2026, 02:10

Fortinet issued emergency patches for a critical FortiClient EMS flaw (CVE-2026-35616) actively exploited in the wild.

Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active exploitation of the issue as zero-day.

🚨 New Fortinet vulnerability being exploited as an 0-day

CVE-2026-35616 – FortiClient EMS pre-authentication API access bypass – CVSS 9.1 Critical

After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under… pic.twitter.com/GUk5fCAx91

— Defused (@DefusedCyber) April 4, 2026

Recently, Defused researchers warn that threat actors are exploiting a vulnerability, tracked as CVE-2026-21643 (CVSS score: 9.1), in Fortinet’s FortiClient EMS platform.

🚨 Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data

Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj

— Defused (@DefusedCyber) March 28, 2026

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

❌
❌