The Latest

It's officially the end of an era for the Samsung Galaxy community: Samsung is discontinuing its messaging app. If you're a Samsung Messages user, the company says you should plan to migrate to Google Messages to "upgrade your messaging experience."

This deprecation isn't taking effect immediately, however. According to Samsung's official end of service announcement, the company will discontinue Samsung Messages in July 2026. That means you still have roughly three months to keep using the app, if it happens to be your messaging client of choice. That said, the company is encouraging users to set Google Messages as their default messaging app today to "maintain a consistent messaging experience on Android." Samsung says the app will tell users when service will be discontinued.

Samsung is really pushing Google Messages in this end-of-service announcement. The company touts the app's features, like Scam Detection, RCS messaging, AI features, and cross-platform connectivity, so you can pick up another Android device and keep chatting. To their credit, some of these features do make Google Messages the stronger messaging app compared to Samsung Messages—in particular, RCS support. Samsung Messages users are stuck with SMS chats, which limits conversations in terms of both security and functionality. SMS chats don't support high-resolution photo and video sharing, nor do they manage modern group chats well. Crucially, they aren't encrypted, which puts your conversations at risk. While not all RCS chats are encrypted, the ones that are protect your conversations from would-be attackers.

It's not like this decision came totally out of the blue. If you've bought a new Samsung Galaxy device in recent years, you'll notice that Samsung Messages didn't come preinstalled. Instead, you had to seek it out and install it yourself from Samsung's Galaxy Store. Samsung says Galaxy S26 devices can't even download the app, and that following its deadline, no devices will be able to download the app.

Also important to note for some users: Tizen OS watches (watches that were launched before Galaxy Watch4) can't run Google Messages. These watches will not be able to display full message conversations after July 2026. However, you'll still be able to read and send messages.

You can keep using Samsung Messages after the deadline

Not everyone will need to move to Google Messages, however. If you're using an Android device running Android 11 or older, Samsung says you are not affected by this end of service. This will likely impact a small fraction of the Galaxy community, seeing as we're currently on Android 16 (or One UI 8, in Galaxy world). But if you do have an older Android device, you can keep using the app.

In addition, Samsung outlines some specific situations where the app will continue to send messages—even on phones running Android 12 or newer. If you try to send a typical text, it won't go through. However, you will be able to send messages to emergency service numbers. If you text 911 on a Galaxy phone with Samsung Messages, it will work, according to Samsung.

That makes sense—Samsung likely doesn't want to deal with a situation where someone tries to contact emergency services on its unsupported app and cannot get help. But what I find even more interesting is that Samsung Messages will also still work when texting emergency contacts. If you've defined someone as an emergency contact on your Galaxy, you'll be able to text them still.


from Lifehacker https://ift.tt/4jJzUHP

We may earn a commission from links on this page.

If you've been eyeing a Whoop fitness tracker but unsure about the membership cost, your Chase Sapphire card might be about to make that decision a whole lot easier. Through May 12, 2026, Chase is offering cash back on Whoop memberships for both Sapphire Reserve and Sapphire Preferred cardholders—and for Reserve members, the deal effectively covers the entire cost of a year's membership.

What is Whoop?

Whoop is a health and fitness company that makes a wearable tracker and companion app focused on recovery, sleep, and strain. You've probably seen one of these screenless wristbands out in the wild, since Whoop has been one of the best fitness trackers out there for years now. Unlike other fitness wearables, Whoop operates on a membership model, where you pay for access to the platform and the hardware comes included.

What's the Chase Sapphire promotion?

Chase Sapphire Reserve cardholders can receive a one-time $359 statement credit for a Whoop Life membership (which covers the total cost of an annual membership) when they use their card to purchase a Life membership on Whoop. Chase Sapphire Preferred cardholders can receive a one-time $100 statement credit toward the cost of any Whoop annual membership when they use their card to purchase any Whoop membership on the site, too.

Simply put: If you have the Sapphire Reserve, you can get a full year of Whoop Life at no out-of-pocket cost. If you have the Sapphire Preferred, you'll get $100 knocked off whichever annual plan you choose.

How to activate the offer

You can't just make the purchase and expect the credit to apply automatically: You must activate the offer through the Chase Offers portal by May 12, 2026, before making a membership purchase.

First, log in to your Chase account online or through the Chase mobile app. Navigate to the Chase Offers section, which you can typically find under your card's benefits or in the "Explore" tab of the app. Search for the Whoop offer and click "Add to Card" to activate it. Once the offer is added to your card, head to Whoop and purchase the appropriate annual membership. Make sure you use the Chase Sapphire card you activated the offer on at checkout. Your statement credit will then be applied after the qualifying purchase posts to your account.

Remember: Don't skip activation. If you buy the membership before activating, you won't receive the credit.

The bottom line

If you were already planning to try Whoop, this is a great opportunity, especially for those Sapphire Reserve holders getting the membership for free. Even for Preferred cardholders, $100 off is a solid discount on what is otherwise a recurring annual expense.

The main thing to keep in mind is the deadline. The offer must be activated through the Chase Offers portal by May 12, 2026, and the purchase must be made using the card the offer was activated on, at Whoop.com. Do both of those things in the right order, and you're all set.


from Lifehacker https://ift.tt/ES9lqym

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of publication.

The JBL PartyBox 720 is down to $799.95 on Woot, a drop from its $1,099.95 list price and below its current $899.95 listing on Amazon. That almost lines up with the lowest price recorded so far, which was $798, according to price-trackers. Also, shipping is free for Amazon Prime members, while everyone else pays a $6 fee. This deal is set to run for about five days, though it could end sooner if stock runs out.

This is the larger and more powerful sibling to the JBL PartyBox Stage 320, which Lifehacker writer Daniel Oropeza covered in detail in this review. In use, the difference shows up in how much sound it can push. The 720 gets loud enough for outdoor setups or crowded rooms without sounding thin. Bass hits hard, mids stay clear, and highs don’t get lost even as you turn it up. There is some compression at the top end, especially in the low frequencies, but it still holds together better than smaller models. You can tweak the sound through the EQ in the app or use the Bass Boost when you want more punch. The speaker runs on dual detachable batteries with a claimed 15 hours of playback, and it supports Auracast if you want to link multiple compatible speakers. It also leans into the “party” angle with built-in RGB lighting and karaoke inputs, so you can plug in a mic and use it without extra gear.

The downsides come from its size and design. This is a large and heavy speaker, so even though it has wheels, you are not going to move it around as casually as a smaller speaker. It also throws sound forward (having a front-facing design), so where you place it in a room will shape how evenly the music reaches everyone. And while it can handle a few splashes with its IPX4 rating, it is not built for heavy exposure to water or rough conditions. As for its battery life, it holds up for a night, but it does not stretch as far as the JBL PartyBox Stage 320, which can last well over 20 hours.

Our Best Editor-Vetted Tech Deals Right Now
Apple iPad 11" 128GB A16 WiFi Tablet (Blue, 2025) $299.99 (List Price $349.00)
Sony WH-1000XM5 $248.00 (List Price $399.99)
Deals are selected by our commerce team

from Lifehacker https://ift.tt/VnpOcxN

Proton Authenticator is a free and open-source two-factor authentication (2FA) app that generates time-based one-time passwords (TOTP) to help secure online accounts. It is available on Windows, macOS, Linux, iOS, and Android, allowing users to access their verification codes across devices.

The app is designed to work without ads or tracking. A Proton account is optional and mainly used for encrypted sync between devices.

Proton Authenticator

How Proton Authenticator works

Setup starts with installing the app from the App Store and adding accounts. Users can scan a QR code or enter a setup key provided by a service that supports 2FA. Those switching from another authenticator can import existing tokens, which helps avoid manual reconfiguration.

Proton Authenticator

Proton Authenticator can be used on its own or alongside other Proton services. It supports workflows where authentication codes are managed separately from passwords.

The app generates six-digit codes that refresh every 30 seconds. These codes are required in addition to a password when logging in to supported services.

Proton Authenticator

The app supports importing tokens from other authenticator tools such as Google Authenticator, Aegis, or Bitwarden Authenticator. Export functionality is also included, allowing users to retain control of their data and move it when needed.

Codes are generated locally on the device. They remain accessible without an internet connection, which makes the app reliable in offline or restricted environments.

Security model

Proton Authenticator uses end-to-end encryption to protect data when synchronization is enabled. Encryption takes place on the user’s device, so only the user can access stored authentication tokens.

Proton Authenticator

The app is open source, allowing anyone to review how it handles data and security. This adds a level of transparency for users who want visibility into the software they rely on.

Users can protect access to the app with a PIN or biometric authentication, depending on the device. These controls help prevent unauthorized access if a device is shared or lost.

Backup and recovery

The app provides several options for backing up authentication data. Users can enable encrypted backups through a Proton account or rely on platform-specific backup systems.

Proton Authenticator

Export tools allow users to create external backups of their authentication data. This reduces the risk of losing access to accounts if a device is replaced or unavailable.

Conclusion

Proton Authenticator is a solid option if you want more control over your two-factor authentication setup. It handles the basics like generating codes, syncing across devices, and backing up your data, without locking you into one way of doing things.


from Help Net Security https://ift.tt/ZSmxG3F

Security spending continues to edge upward across large organizations, though the changes remain gradual and tightly managed. The 2026 RH-ISAC CISO Benchmark reflects a steady environment where budgets expand in small steps, even as AI becomes a routine part of security operations.

Budget growth stays measured

Spending levels increased during 2025 across both IT and security. Average IT spend as a share of revenue rose to 3.9% from 3.2% the year before. Security spend followed a similar path, reaching 0.75% of revenue, up from 0.57%. Security’s share of the IT budget moved slightly to 5.8%.

Planning for 2026 continues along the same track. More than half of respondents expect their security budgets to increase, with most of those increases falling in the 1% to 10% range. A third expect budgets to hold steady, and a smaller group expects reductions.

Business conditions continue to influence these decisions. Company growth, routine annual adjustments, and ongoing digital transformation continue to support budget increases. At the same time, cost control efforts and broader economic pressure remain the main reasons budgets move downward.

Spending remains focused on core areas

Security budgets continue to concentrate on a few main categories. Staffing and compensation account for the largest share, followed closely by software delivered off-premises. Outsourcing and project work make up smaller portions, with hardware and training representing a limited share of overall spend.

Training allocations follow a similar trend, with conferences and events receiving the largest portion, followed by technical training courses. Learning platforms, certifications, and internal workshops make up the rest.

This distribution points to a steady investment in personnel and operational tooling, with limited expansion into new spending categories.

AI becomes a primary pressure point

AI stands out as the most frequently cited source of friction for security leaders. It ranks above supply chain risk, vulnerability management, and ransomware in day-to-day challenges.

That shift appears alongside a broader set of priorities for the coming year. Vulnerability management and zero trust architecture remain at the top of initiative lists. At the same time, AI is moving into planning discussions, appearing within broader initiative categories tied to operational improvement.

Organizations continue to balance these priorities with structural constraints. Tension between cybersecurity and IT priorities remains the most commonly cited challenge, followed closely by budget limitations. The speed of business of business requirements adds another layer of pressure on security programs.

AI use expands across security functions

Security teams are already applying AI across several operational areas. Threat detection and analysis represent the most common use, followed by reporting and incident response automation. Smaller portions of teams use AI for fraud detection and vulnerability management.

Governance structures are taking shape alongside these deployments. Most organizations report having implemented or partially implemented AI policies, with only a small minority indicating no policy in place.

Concerns tied to AI remain consistent across organizations. Data leakage through public tools leads the list, followed by insider misuse and gaps in governance. Questions around output accuracy and model integrity also appear across responses.

Investment shifts without major budget expansion

AI-related initiatives are drawing increased investment attention, with most organizations expecting either moderate or significant increases in this area. Even so, these changes do not always translate into larger overall budgets.

A large share of organizations report no meaningful impact on total security spending. Others indicate that AI initiatives are funded through reallocating existing resources. Only a smaller group expects overall security budgets to increase as a direct result of AI efforts.

This keeps overall spending growth aligned with earlier trends, even as new priorities emerge.

Staffing growth remains gradual

Hiring plans follow the same incremental approach seen in budgets. About a third of organizations plan to expand full-time cybersecurity staff in 2026, with most describing those increases as gradual. At the same time, some expect reductions in contractor roles.

The broader role of the CISO continues to expand across areas such as risk management, compliance, and coordination with business units. These responsibilities add complexity without a corresponding surge in staffing.

Security programs continue to evolve through steady adjustments in funding, staffing, and priorities. AI introduces new demands across operations, though organizations continue to manage those demands within budgets that change slowly from one year to the next.


from Help Net Security https://ift.tt/10tUlRj

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Week in review

Financial groups lay out a plan to fight AI identity attacks
Generative AI tools have brought the cost of deepfake production low enough that criminals and state-sponsored actors now use them routinely against financial institutions. A joint paper from the American Bankers Association, the Better Identity Coalition, and the Financial Services Sector Coordinating Council lays out the scale of the problem and calls on federal and state policymakers to act across various areas.

Mimecast makes enterprise email security deployable in minutes
Ranjan Singh, Chief Product and Technology Officer at Mimecast, outlines how the company’s API-based approach delivers protection on par with a traditional Secure Email Gateway without requiring infrastructure changes, and why that matters for stretched security teams trying to close detection gaps on BEC and credential phishing.

Trust, friction, and ROI: A CISO’s take on making security work for the business
In this Help Net Security interview, John O’Rourke, CISO at PPG, talks about what it means for security to drive business value. He explains how mature security programs reduce friction in sales cycles and M&A processes, and how trust is built over time.

Axios npm packages backdoored in supply chain attack
An unknown attacker has compromised the GitHub and npm accounts of the main developer of Axios, a widely used HTTP client library, and published npm packages backdoored with a malicious dependency that triggered the installation of droppers and remote access trojans.

Software supply chain hacks trigger wave of intrusions, data theft
After linking the Axios npm supply chain attack to North Korean hackers, Google researchers warned that “hundreds of thousands of stolen secrets could potentially be circulating” as a result of this and the Trivy, KICS, LiteLLM, and Telnyx supply chain attacks (linked to TeamPCP).

Trivy supply chain attack enabled European Commission cloud breach
CERT-EU confirmed that ShinyHunters are behind the recent breach of the cloud infrastructure underpinning websites of the European Commission, and that they stole and subsequently leaked approximately 340 GB of data.

FortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616)
Attackers have been observed exploiting two vulnerabilities (one a zero-day) in Fortinet FortiClient Endpoint Management Server (EMS) this week: a previously fixed SQL injection vulnerability (CVE-2026-21643) and a newly unearthed API authentication and authorization bypass exploited as a zero-day (CVE-2026-35616).

Cisco IMC auth bypass vulnerability allows attackers to alter user passwords (CVE-2026-20093)
Cisco has fixed ten vulnerabilities affecting its Integrated Management Controller (IMC), the most critical of which (CVE-2026-20093) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin.

EvilTokens ramps up device code phishing targeting Microsoft 365 users
Security researchers report a notable increase in device code phishing activity aimed at Microsoft 365 users, and have attributed this rise to the availability of EvilTokens, a new, specialized phishing toolkit that’s being offered as-a-service via Telegram.

Google fixes Chrome zero-day with in-the-wild exploit (CVE-2026-5281)
Google has fixed 21 vulnerabilities affecting its popular Chrome browser, among them a zero-day (CVE-2026-5281) with an in-the-wild exploit. As per usual, information about the fixed zero-day is limited, and there’s no details about the exploit (or how/if it’s being used by attackers).

Claude Code source leak exploited to spread malware
A source code leak involving Anthropic’s Claude Code tool quickly escalated into a cybersecurity threat, as attackers seized on the exposed files to lure developers into downloading malware disguised as “unlocked” versions of the software.

Why risk alone doesn’t get you to yes
The hardest mission that most security leaders will face is not identifying a threat, but getting someone to act on it. We’re trained to see exposure before they are identified by others. We continually assess likely threats, evaluate impact, and design controls to prevent disruption long before it reaches operations or shareholders. That’s the job.

Why I’m done calling humans the weakest link
Cybersecurity has long suffered from a people problem, but not in the way we often hear about. As industry that is based on enabling communication across the globe via the internet and many types of devices, many of us practitioners are very bad at communicating to people.

The art of making technical risk make sense to executives
In this Help Net Security video, Jay Miller, CISO at Paessler, explains how security leaders can communicate technical risk to executives and board members in terms they understand.

Your customer passed authentication. So why are they sending money to a scammer?
In this Help Net Security video, Lenny Gusel, Head of Fraud Solutions in North America at Feedzai, explains how customer identity and access management has converged with digital fraud detection, and why treating them as separate systems creates real risk.

Don’t count on government guidance after a smart home breach
People are filling their homes with internet-connected cameras, speakers, locks, and routers. When one of those devices is compromised, the next steps are often unclear. Researchers reviewing government cybersecurity advice in 11 countries found that most guidance focuses on prevention, leaving households with limited support after a breach.

Rspamd 4.0.0 ships memory savings, a new scan protocol, and a required migration step
The open-source spam filtering platform Rspamd released version 4.0.0, delivering infrastructure changes across its scan protocol, memory model, hash storage, and configuration system. Several of the changes are breaking, and at least one requires a migration step before upgrade.

Apple counters ClickFix attacks with macOS Terminal warning
Apple has added a new security feature in macOS Tahoe 26.4 that warns users before they enter commands in Terminal that could cause harm. The goal is to stop ClickFix attacks, a social engineering trick that gets users to run malicious commands themselves.

Hacker stripped more than $50 million from Uranium crypto exchange, spent it on trading cards
US prosecutors have charged a Maryland man in connection with two hacks of the Uranium Finance cryptocurrency exchange that led to losses exceeding $50 million.

Amazon sends AI agents into pen testing and DevOps
Amazon’s latest AI capabilities bring on-demand penetration testing through the AWS Security Agent, alongside the AWS DevOps Agent. AWS Security Agent enables on-demand penetration testing for applications, addressing gaps created by periodic testing limited by time and cost.

Crypto industry may be running out of time to prepare for quantum attacks
Google’s latest research suggests the cryptocurrency industry may have less time than expected to prepare for quantum computing.

Cybercriminals take aim at Hasbro, weeks of recovery ahead
Hasbro, an American toy maker with more than 5,000 employees, confirmed a cyberattack and proactively took certain systems offline. The intrusion was detected on March 28, and the company promptly activated its incident response protocols.

TrueConf zero-day vulnerability exploited to target government networks
Suspected China-nexus attackers have leveraged a zero-day vulnerability (CVE-2026-3502) in the TrueConf client application to distribute malware within government networks in Southeast Asia, Check Point researchers discovered.

DarkSword exploit forces Apple to loosen its patching policy
Apple has extended security updates to a wider range of devices still running iOS 18, aiming to protect users from the DarkSword exploit kit.

Microsoft releases open-source toolkit to govern autonomous AI agents
AI agents can book travel, execute financial transactions, write and run code, and manage infrastructure without human intervention at each step. Frameworks like LangChain, AutoGen, CrewAI, and Azure AI Foundry Agent Service have made this kind of autonomy straightforward to deploy. The governance infrastructure to match that autonomy has lagged behind. Microsoft released the Agent Governance Toolkit to address that gap.

Breaking out: Can AI agents escape their sandboxes?
Container sandboxes are part of routine AI agent testing and deployment. Agents use them to run code, edit files, and interact with system resources without direct access to the host. The SandboxEscapeBench benchmark, developed by researchers at the University of Oxford and the AI Security Institute, evaluates whether an agent with shell access can escape a container and reach the host system.

ShipSec Studio brings open-source workflow orchestration to security operations
Security teams have long relied on a mix of shell scripts, cron jobs, and loosely connected tools to chain reconnaissance and vulnerability scanning work together. ShipSec Studio, an open-source security workflow automation platform from ShipSec AI, aims to replace that arrangement with a dedicated orchestration layer built specifically for security operations.

SystemRescue 13 updates its kernel to Linux 6.18 LTS, adds new recovery tools
Bootable Linux recovery environments occupy a specific niche in the systems administration and incident response toolkit. SystemRescue, an Arch-based live distribution built for repairing unbootable systems and recovering data from damaged drives, has shipped version 13.00 with a new long-term supported kernel, updated storage tools, and several additions to its command-line toolset.

Android 17 tweaks location privacy with one-time access
Google introduced a suite of location privacy features in Android 17 Beta 3 to give users more control and provide developers with tools for data minimization and product safety.

Hottest cybersecurity open-source tools of the month: March 2026
Presented here is a curated selection of noteworthy open-source cybersecurity solutions that have drawn recognition for their ability to enhance security postures across diverse settings.

Intel puts its data center performance knowledge on GitHub
Intel engineers have published a centralized repository of data center performance knowledge on GitHub, giving practitioners direct access to tuning guides, configuration recommendations, and optimization recipes that previously required hunting across forums and scattered documentation.

Android developers just got a new verification layer
To help prevent malicious actors from spreading harmful apps while hiding behind anonymity, Google is rolling out developer verification to all Android developers. The company is also introducing app registration, which links apps to verified developer identities.

Google Drive now detects ransomware and helps restore affected files
To help organizations minimize the impact of malware attacks on personal computers, Google launched ransomware detection and file restoration in beta in September 2025. These features are now generally available.

Windows 11 gets a rebuilt console engine with regex search, Sixel images and a 10x speed boost
Microsoft released Windows 11 Insider Preview Build 29558.1000 to the Canary Channel, part of the optional 29500 build series. The build carries a set of changes focused on the Windows Console, a handful of bug fixes, and small improvements to Settings and disk utilities.

Malware detectors trained on one dataset often stumble on another
Machine learning models built to catch malware on Windows systems are typically evaluated on data that closely resembles their training set. In practice, the malware arriving on enterprise endpoints looks different, comes from different sources, and in many cases has been deliberately obfuscated to evade detection. A study from researchers at the Polytechnic of Porto tests what happens when that gap is made explicit, and the results have direct implications for organizations relying on static detectors as a first line of defense.

Microsoft adds high-volume email sending to Exchange Online
Organizations that rely on Exchange Online for internal communications have long needed a way to send large volumes of automated messages, such as payroll notifications, IT alerts, and security advisories, without running into the sending limits designed for person-to-person email. Microsoft has addressed that with the general availability of High Volume Email (HVE) in Exchange Online.

Tracking drones with the 5G tower down the street
Drone detection in cities is expensive. Dedicated radar installations are cost-prohibitive at scale, cameras have limited range and stop working well at night, and LiDAR systems have the same cost problem as radar. A group of researchers at the University of Science and Technology of China spent the past year working on a different approach: using 5G-Advanced base stations that are already in the ground to do the job instead.

Which messaging app takes the most limited approach to permissions on Android?
Messaging apps handle sensitive conversations, contacts, and media, and their behavior on a device varies in ways that affect privacy. An analysis of Android versions of Messenger, Signal, and Telegram shows that differences in permissions, background activity, and system exposure shape how much data each app can access and how often it communicates.

Download: 2026 SANS Identity Threats & Defenses Survey
New research from the 2026 SANS Identity Threats & Defenses Survey shows that 55% of organizations experienced an identity-related compromise last year, while 26% reported MFA fatigue as a factor in identity attacks.

Cybersecurity jobs available right now: March 31, 2026
We’ve scoured the market to bring you a selection of roles that span various skill levels within the cybersecurity field. Check out this weekly selection of cybersecurity jobs available right now.

New infosec products of the month: March 2026
Here’s a look at the most interesting products from the past month, featuring releases from Beazley, Bonfy.AI, Mend.io, Mimecast, NinjaOne, Novee, Intel 471, Singulr AI, Stellar Cyber, Teleport, and Vicarius.


from Help Net Security https://ift.tt/csARbha

Defused Cyber has spotted another Fortinet FortiClient Endpoint Management Server (EMS) zero-day vulnerability (CVE-2026-35616) being exploited in the wild.

This time around, the confirmation of active exploitation came almost immediately from Fortinet, as well.

“Fortinet has observed [CVE-2026-35616] to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company stated in a security advisory published on Saturday.

About CVE-2026-35616

On Monday, Defused Cyber warned about CVE-2026-21643, a critical SQL injection vulnerability in Fortinet FortiClient EMS, being leveraged by remote, unauthenticated attackers.

The exploitation of CVE-2026-21643 came months after Fortinet pushed out a fix for it and several weeks after Bishop Fox researchers shared their analysis of the vulnerability and practical exploitation paths.

CVE-2026-35616, on the other hand, is an improper access control vulnerability that allows for an API authentication and authorization bypass, and may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVE-2026-35616 affects FortiClientEMS versions 7.4.5 and 7.4.6, but not the 7.2 branch. According to Fortinet, the provided hotfixes are “sufficient to prevent it entirely.”

“Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue,” the company added. The security advisory does not mention whether the 8.0 branch is affected by this flaw.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!


from Help Net Security https://ift.tt/OGbULAK