Fortinet releases emergency hotfix for FortiClient EMS zero-day flaw
Summary
Fortinet has released an emergency hotfix for a critical zero-day vulnerability (CVE-2026-35616) in FortiClient EMS, allowing unauthenticated attackers to remotely execute arbitrary code. This flaw, rated 9.1 CVSS, has been actively exploited since late March and was added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability affects specific versions of FortiClient EMS, with a patched version expected soon, while cloud-based deployments are already secured.
IFF Assessment
The active exploitation of a critical zero-day vulnerability by unauthenticated attackers poses a significant threat to organizations managing their endpoints with FortiClient EMS.
Severity
The CVSS score of 9.1 indicates a critical severity, reflecting the vulnerability's potential for unauthenticated remote code execution, which is a highly impactful attack vector.
Defender Context
Organizations using FortiClient EMS should immediately apply the emergency hotfix to affected on-premises deployments, as this vulnerability is actively being exploited in the wild. Defenders should also investigate their systems for any signs of compromise prior to the hotfix being applied, especially given the zero-day nature of the exploit.