// #ems
3 articles
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Emergency Hotfix Available
A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.
Second Critical FortiClient EMS Flaw in a Month: CVE-2026-21643 Pre-Auth SQL Injection Exposed
Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.