Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

Check

If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.

Affected

FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.

Fix

Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.