The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.

A few hours ago, Defused researchers warned that attackers are exploiting the FortiClient zero-day. No public POC exists yet; however, this exploit has roughly the same structure as the observed zero-day exploit. Experts recommend watching for traffic from unknown IPs showing X-SSL-CLIENT-VERIFY: SUCCESS.

We are now observing further exploitation of the recent FortiClient zero-day (CVE-2026-35616)

No public POC exists to date, and this exploit has roughly the same structure as the observed zero-day exploit.

To identify potential compromise, defenders should look for… pic.twitter.com/hxEVre8bnf

— Defused (@DefusedCyber) April 6, 2026

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Fortinet warns of a critical FortiClient EMS zero-day vulnerability that is currently being exploited, allowing attackers to bypass authentication and execute commands.

The post New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems appeared first on TechRepublic.

The post Under Active Attack: Critical 9.1 CVSS FortiClient EMS Flaw Exploited in the Wild appeared first on Daily CyberSecurity.

Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.

A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.

Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.

“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.

Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data

Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj

— Defused (@DefusedCyber) March 28, 2026

In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Below are the affected versions:

Version	Affected	Solution
FortiClientEMS 8.0	Not affected	Not Applicable
FortiClientEMS 7.4	7.4.4	Upgrade to 7.4.5 or above
FortiClientEMS 7.2	Not affected	Not Applicable

In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.

Despite not yet appearing in major exploited lists, real-world attacks have already been observed.

Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).

In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)