FortiClient EMS: Critical code-injection vulnerability is being exploited
Fortinet has provided hotfixes and strongly advises admins to apply them quickly. They patch an exploited code-injection vulnerability.
(Image: Skorzewiak/Shutterstock.com)
A zero-day vulnerability exists in FortiClient EMS, which attackers are already exploiting in the wild. This allows them to inject and execute malicious code without prior authentication.
The manufacturer, Fortinet, is now warning about this in a security advisory. According to the advisory, FortiClient EMS has a vulnerability in its access controls, allowing attackers to inject and execute unauthorized code or commands via manipulated requests without prior authentication (CVE-2026-35616, CVSS 9.8, risk "critical"). And this is precisely what malicious actors are already doing on the internet, as Fortinet has observed. Fortinet does not provide details about the attacks, such as their nature or scope. Likewise, there are no indications of successful attacks (Indicators of Compromise, IOC).
Hotfix for now, regular update in progress
Fortinet strongly advises IT administrators with vulnerable FortiClient EMS software to promptly install the hotfixes for FortiClient EMS 7.4.5 and 7.4.6. The manufacturer provides two guides for this: one for the hotfix for FortiClient EMS 7.4.5 and another for FortiClient EMS 7.4.6.
Fortinet also announces version FortiClient EMS 7.4.7, which is also expected to contain the hotfix. Until then, according to Fortinet, the aforementioned hotfixes are entirely sufficient to prevent exploitation of the vulnerability, as the company assures. Only the 7.4 versions of FortiClient EMS are affected; the 7.2 development branch is not vulnerable to this flaw.
Videos by heise
Fortinet apparently put together the security advisory in great haste. Unlike the CVE vulnerability entry, the summary only mentions a CVSS score of 9.1, which still indicates a critical security vulnerability. Furthermore, it states that there is no exploit for the vulnerability – even though Fortinet explicitly points this out in the main text.
Therefore, IT administrators now have to work over the Easter weekend to apply the updates. While they are at it, they should also check if their D-Trust certificates have been revoked and also need to be replaced by Easter Monday at 5 PM.
(dmk)
