Fortinet on April 4 released a hotfix for a critical 9.8 bug in FortiClient EMS 7.4.5 and 7.4.6, saying that it had observed exploitation in the wild.The API access bypass flaw – tracked as CVE-2026-35616 – was first reported to Fortinet by DefusedCyber, which posted on X about the bug early Saturday morning.Security pros say teams need to apply the hotfix right away because this is the second critical bug found exploited in FortiClient in about a week, such attacks on a management system could result in lateral movement, and it came over Easter weekend when many teams are understaffed.“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” said Benjamin Harris, founder and CEO at watchTowr. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”Harris said it’s disappointing that this represents the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks.“So, once again, organizations running FortiClient EMS and exposed to the internet should treat this as an emergency response situation, not something to pick up on Tuesday morning,” said Harris. “Apply the hotfix, attackers already have a head start.”Itai Goldman, co-founder and CTO at Miggo Security, added that weekend disclosures of internet-reachable critical applications like Fortinet's are almost a new baseline. Goldman said threat actors weaponize vulnerabilities at amazing velocity, and defenders must treat this as a race.“Unfortunately, for many security teams this reality of constantly chasing a patch is untenable, especially for legacy systems or during code freezes, patching can create application downtime,” said Goldman. “We are seeing more and more teams turning to mitigation by deploying targeted WAF rules to choke off the attack surface. In today’s threat landscape, successfully buying time is just as critical as the patch itself."John Bambenek, president at Bambenek Consulting, pointed out this type of activity was seen with the Handala Group in the Stryker case a few weeks ago, when it attacked Microsoft InTune MDM devices. Bambenek said a Fortinet EMS portal that’s exposed to the open internet could be configured with some effort to deploy ransomware on all Fortinet-managed devices in an organization.“This was detected from a third-party security company who saw the zero-day exploitation in the wild, which only increases the level of concern,” said Bambenek. “Organizations should patch immediately and, if possible, remove EMS visibility from the open internet.”
Vulnerability Management, Patch/Configuration Management, Identity

Fortinet issues Easter weekend hotfix for FortiClient EMS

(Credit: Rafael Henrique – stock.adobe.com)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



