Fortinet has released an emergency security update to address a critical vulnerability in its FortiClient Enterprise Management Server (EMS) that is being actively exploited in the wild. The flaw, identified as CVE-2023-35616, is an authentication bypass that allows an unauthenticated attacker to achieve remote code execution on vulnerable servers.
The vulnerability carries a CVSS score of 9.8 out of 10, reflecting its maximum severity. According to Fortinet's advisory, the flaw exists in a specific API endpoint, enabling an attacker to bypass authentication and execute arbitrary code with high privileges. The attack can be launched remotely over a network and requires no user interaction. Affected versions include FortiClient EMS 7.2.0 through 7.2.2 and 7.0.1 through 7.0.7.
The impact of a successful exploit is severe. FortiClient EMS is a centralized management platform used to deploy and control endpoint security software across an organization’s entire network. By compromising the EMS server, an attacker could gain a powerful foothold to deploy ransomware, exfiltrate sensitive data, or pivot to other critical systems. Organizations with publicly exposed EMS instances face the most immediate risk of attack.
This incident is the latest in a series of high-severity vulnerabilities discovered in Fortinet products that have been quickly weaponized by threat actors. The company strongly urges all customers using affected versions to update immediately to the patched releases, which are FortiClient EMS 7.2.3 and 7.0.8 or later. Due to the confirmed in-the-wild exploitation, administrators should prioritize applying the patch and are advised to review server logs for any signs of compromise or unusual API requests.
