"The flaw, tracked as CVE-2026-35616, is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. It earned a critical 9.1 CVSS rating, and in addition to urging customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, the firewall vendor also warned that it has observed this to be exploited in the wild."
"On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog, and set a Thursday deadline for all federal agencies to apply the patch."
"The good news, according to VulnCheck VP of security research Caitlin Condon, is that FortiClient EMS has a relatively small internet-facing footprint. Condon told The Register that her team's analysis observed about 100 internet-exposed instances."
Fortinet issued an emergency patch for a critical vulnerability in FortiClient Enterprise Management Server, tracked as CVE-2026-35616. This flaw allows unauthenticated attackers to execute unauthorized code and has a CVSS rating of 9.1. The vulnerability has been under attack since at least March 31. CISA added it to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to apply the patch. Fortinet is actively communicating with customers regarding remediation efforts, while experts note the limited internet exposure of FortiClient EMS instances.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]