Fortinet has released emergency hotfixes for a critical zero-day vulnerability in FortiClient Endpoint Management Server (EMS) that attackers have been exploiting in the wild since late March. CVE-2026-35616, rated 9.1 on the CVSS scale, is a pre-authentication API bypass that lets an unauthenticated attacker execute code on affected systems — no credentials required. Security firm watchTowr detected active exploitation on 31 March, days before Fortinet published its advisory on 4 April.

Not-for-profits are disproportionately at risk here. Many NFPs run Fortinet gear because it’s cost-effective and widely recommended by managed service providers for smaller organisations. FortiClient EMS is the central console that manages endpoint security across your devices — if an attacker compromises it, they effectively own your entire endpoint fleet. That means donor databases, volunteer records, and grant documentation are all exposed.

If your organisation uses FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet’s emergency hotfix immediately. The upcoming version 7.4.7 will include a permanent fix, but don’t wait for it. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on 6 April, and this is the second critical FortiClient EMS zero-day in recent weeks — CVE-2026-21643 was also actively exploited shortly after disclosure.

If you’re not sure whether your IT environment includes FortiClient EMS, now’s a good time to ask your IT provider for a full asset audit. All IT Services can help NFPs identify exposed systems and prioritise patching before attackers get there first.