Second Fortinet FortiClient EMS Zero-Day in Weeks — CVE-2026-35616 Under Active Exploitation

Summary

Fortinet has disclosed yet another zero-day vulnerability in its FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616. The improper access control flaw affects FortiClient EMS versions 7.4.5 and 7.4.6 and is confirmed to be actively exploited in the wild. Fortinet has released emergency hotfixes and is urging all customers to apply them immediately.

This comes just weeks after CVE-2026-21643, a critical SQL injection vulnerability in the same product, was also found under active exploitation. The back-to-back zero-days in a core endpoint management platform have put Fortinet customers on high alert.

FortiClient EMS is widely deployed across enterprises for centralized endpoint policy management, making it a high-value target for attackers seeking broad network access through a single compromise.

Sources

• Help Net Security – FortiClient EMS zero-day CVE-2026-35616
• KCNet – Cybersecurity Incidents and Alerts April 2026

Commentary

Two zero-days in the same product within weeks is a rough look for Fortinet. FortiClient EMS is essentially the keys to the kingdom for endpoint management — if you pop it, you potentially control every managed device in the environment. Attackers know this, which is why they keep hammering it.

The pattern is concerning: Fortinet products have been a recurring target for advanced threat actors, and the rapid discovery of chained vulnerabilities suggests deeper code quality issues that patching alone won’t resolve. Organizations running FortiClient EMS should not only patch immediately but also audit for signs of compromise going back several weeks.