What's Happening?
Fortinet has released an emergency patch for its FortiClient Enterprise Management Server (EMS) products following the discovery of a critical vulnerability, identified as CVE-2026-35616. This vulnerability, with
a CVSS score of 9.1, allows unauthenticated attackers to execute unauthorized code or commands through crafted requests. The cybersecurity vendor Defused reported that this vulnerability was being actively exploited in zero-day attacks, prompting Fortinet to urge customers to install the hotfix for FortiClient EMS versions 7.4.5 and 7.4.6. An upcoming version, 7.4.7, will also address this issue. Additionally, another critical vulnerability, CVE-2026-21643, was discovered in the FortiClient EMS platform, which is an SQL injection flaw with a CVSS score of 9.8. This flaw could allow attackers to execute unauthorized code via crafted HTTP requests, potentially leading to deeper attacks on cloud systems.
Why It's Important?
The vulnerabilities in Fortinet's FortiClient EMS products highlight significant security risks for organizations relying on these systems for endpoint management. Such vulnerabilities can be exploited by threat actors to gain unauthorized access to company device fleets, which can be weaponized for ransomware, cyber espionage, or destructive attacks. The ability to push malicious updates to endpoints poses a severe threat to organizational security, potentially leading to data breaches and operational disruptions. The swift response by Fortinet to issue patches underscores the critical nature of these vulnerabilities and the importance of maintaining up-to-date security measures to protect against evolving cyber threats.
What's Next?
Organizations using FortiClient EMS are advised to promptly apply the available hotfixes and prepare for the release of version 7.4.7, which will include a comprehensive fix for the identified vulnerabilities. It is crucial for affected entities to monitor for indicators of compromise, such as unusual database error messages and unauthorized remote monitoring activities. Additionally, disconnecting the administrative web interface from the internet can mitigate the risk of exploitation. As cybersecurity threats continue to evolve, companies must remain vigilant and proactive in updating their security protocols to safeguard against potential attacks.
