Fortinet has released an emergency patch for CVE-2026-35616, a critical vulnerability in FortiClient Enterprise Management Server (EMS) that’s being actively exploited in the wild. If your business uses FortiClient EMS to manage endpoint security, this needs your attention today.

The flaw is a pre-authentication API access bypass (CVSS 9.1) that lets an unauthenticated attacker execute code on the server without needing any credentials. Versions 7.4.5 and 7.4.6 are affected. Fortinet released the hotfix on 5 April, and CISA added it to the Known Exploited Vulnerabilities catalog the following day — a signal that exploitation is widespread enough to warrant federal urgency. According to BleepingComputer, security researchers identified over 2,000 exposed instances online. Australia isn’t immune — Fortinet products are common across Australian SMBs and managed service providers.

What to Do Right Now

If you’re running FortiClient EMS 7.4.5 or 7.4.6, apply the hotfix immediately or plan to upgrade to 7.4.7 when it drops. If you’re on version 7.2 or earlier, you’re not affected by this specific flaw — but make sure your update schedule is current anyway.

Check your FortiClient EMS access logs for unusual API requests from unfamiliar IP addresses. If you suspect compromise, rotate all credentials managed through EMS and review your endpoint fleet for anomalies.

If All IT manages your Fortinet environment, we’re already across this. Reach out if you have questions about your exposure.