06.04.2026
4 min
213
A critical vulnerability, CVE-2026-21643, has been discovered in Fortinet endpoint management systems, which allows attackers to execute code without authorization. The issue has already attracted the attention of attackers, as it opens up direct access to companies’ infrastructure.
Over the weekend, Fortinet released an urgent security patch for a newly discovered critical vulnerability in its FortiClient Enterprise Management Server (EMS). The EMS has already been attacked by cyber actors who are using this new vulnerability.
CVE-2026-35616 has to do with the lack of proper access controls. What that means is that an attacker can run a command or any script he/she wants to run against the server. All they need to do is send a special request to the server. Fortinet also said that since they know this bug is currently under attack, you will want to install the patches as soon as possible if you use these EMS systems.
According to Fortinet, the issue affects FortiClient EMS versions 7.4.5 and 7.4.6. Separate patches have already been released for them:
https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 – for FortiClientEMS 7.4.5
https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 – for FortiClientEMS 7.4.6
With the coming update 7.4.7, the patch will be activated automatically. As long as there is no further information regarding the new update, 7.2 Branch continues to be unpatched.
Defuse researchers identified this bug. This bug is described by Defuse researchers as an API-level bypass around authenticating, making it possible to entirely circumvent all access control logic. According to Defuse, the bug has been exploited as a zero day exploit prior to the public announcement of the bug; upon being publicly announced, Defuse forwarded the bug to Fortinet according to the responsible disclosure policy.
The bug is made more serious by over 2,000 FortiClient EMS servers exposed on the internet. The majority of these servers (as stated by Shadowserver) are based in the U.S. and Germany.
This is the second critical bug in a row: CVE-2026-21643 was a recent bug previously disclosed and currently under active exploitation. Both bugs were researched by Defuse and the current bug also credits Defuse researcher Nguyen Dik Anh.
Fortinet is stating that users can resolve their problems easily through two options: immediately apply the patches or upgrade as soon as the update to version 7.4.7 is released. Until then, the risk of an attack causing a total loss of their infrastructure remains high.
