{"id":202636,"date":"2026-04-06T11:01:00","date_gmt":"2026-04-06T15:01:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/06\/critical-flaw-in-forticlient-ems-under-exploitation\/"},"modified":"2026-04-06T11:05:32","modified_gmt":"2026-04-06T15:05:32","slug":"critical-flaw-in-forticlient-ems-under-exploitation","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/06\/critical-flaw-in-forticlient-ems-under-exploitation\/","title":{"rendered":"Critical flaw in FortiClient EMS under exploitation"},"content":{"rendered":"

Critical flaw in FortiClient EMS under exploitation<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/critical-flaw-forticlient-ems-exploitation\/816699\/<\/a><\/p>\n

Publish Date: 2026-04-06 11:01:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Fortinet on Saturday warned that a critical zero-day vulnerability in its FortiClient Endpoint Management Server platform is under active exploitation.\u00a0
\nThe improper access control vulnerability, tracked as CVE-2026-35616, allows an unauthenticated attacker to execute unauthorized code or commands by using specially crafted requests.
\nFortinet\u00a0urged customers to immediately install an emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6.\u00a0in an advisory issued Saturday. The upcoming FortiClient EMS 7.4.7 release will include a patched version, but in the meantime, the emergency hotfixes should solve the problem, according to the company.\u00a0
\nThe company did not specify how long it would take for the 7.4.7 version to be released.\u00a0<\/p>\n

Researchers at the vulnerability research firm Defused reported the issue to Fortinet after detecting in-the-wild exploitation activity through its honeypots last week, according to a post on LinkedIn.
\n\u201cThis vulnerability allows attackers to bypass authentication by spoofing a specific access header and, through this, getting access to the back end,\u201d Defused founder and CEO Simo Kohonen told Cybersecurity Dive.
\nFortinet acknowledged the vulnerability on Friday and released the advisory on Saturday,\u00a0Kohonen said. Fortinet also thanked researcher Nguyen Duc Anh for additional work to disclose the flaw.\u00a0
\nShadowserver Foundation on Sunday warned that CVE-2026-3516, as well as CVE-2026-21643, an improper neutralization of special elements flaw in FortiClient EMS 7.4.4, are both being exploited in the wild.\u00a0
\nResearchers at watchTowr warned the rapid succession of security flaws, combined with the Easter holiday weekend, could make mitigation of the ForiClient vulnerabilities more challenging.\u00a0
\n\u201cThis is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks,\u201d watchTowr CEO Benjamin Harris told Cybersecurity Dive. \u201cSo, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning.\u201d
\nCVE-2026-21643 was originally disclosed in February by Fortinet\u2019s product security team. Defused on March 28 said it had detected that the vulnerability was under active exploitation since March 24.
\nShadowserver is tracking about 2,000 exposed instances of FortiClient EMS across the globe, with the U.S. and Germany the leading countries visible.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Critical flaw in FortiClient EMS under exploitation https:\/\/www.cybersecuritydive.com\/news\/critical-flaw-forticlient-ems-exploitation\/816699\/ Publish Date: 2026-04-06 11:01:00 Source Domain: www.cybersecuritydive.com…<\/p>\n","protected":false},"author":1,"featured_media":202637,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/95OiTyZdLNwMj1EQZxvuZoIJ7JHhLXNAsH9Mqjf_Vbs\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9GVE5ULTkwOS1raWZlci0wNS5qcGc=.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-202636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202636"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=202636"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202636\/revisions"}],"predecessor-version":[{"id":202638,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202636\/revisions\/202638"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/202637"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=202636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=202636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=202636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}