Two critical Fortinet FortiClient EMS flaws are being actively exploited in the wild. If you manage FortiClient EMS, this is a topic you need to understand and act on now.
What happened
Fortinet disclosed two high‑risk vulnerabilities in FortiClient EMS: CVE-2026-35616, an improper access control flaw that could allow an unauthenticated attacker to bypass API checks, and CVE-2026-21643, a severe SQL injection vulnerability. In recent reporting, security researchers and industry outlets have noted that attackers are attempting and in some cases exploiting these flaws in deployed environments. Fortinet has released emergency hotfixes and patch guidance for affected versions. For the official guidance, see the Fortinet advisory. Coverage from industry outlets summarizes the situation: Cybersecurity Dive coverage.
Why it matters
- If you run FortiClient EMS, a compromised EMS server could expose endpoint policies, configurations, and enrollment data across your organization.
- Small businesses relying on EMS for centralized endpoint management face operational and compliance risks if patches are delayed.
- Security teams should treat EMS exposure as a priority; attackers can leverage EMS access for lateral movement within networks.
Practical steps you can take today
- Identify whether FortiClient EMS is deployed in your environment and note the version. If you see versions in the 7.4.x line (such as 7.4.4, 7.4.5, or 7.4.6), act quickly.
- Apply the emergency hotfix or upgrade to FortiClient EMS 7.4.5 or later (7.4.6 or newer if available). See the Fortinet advisory for patch guidance.
- Limit EMS exposure:
- Place EMS behind a VPN or in a protected network segment.
- Restrict inbound access to trusted IPs; disable internet exposure if possible.
- Strengthen authentication:
- Require MFA for admin access to EMS; rotate Fortinet admin credentials.
- Review access logs for unusual login attempts and API activity.
- Review related security controls:
- Monitor for suspicious EMS-related database or API activity.
- Ensure recent backups are available and tested for recovery.
Final thought
These flaws in FortiClient EMS remind us that centralized management tools can become high‑value targets. If you’re affected, patching quickly and hardening access are the smartest steps this week. If you’d like help assessing your EMS deployment, drop a question in the comments and I’ll share a practical checklist in a follow‑up article.