Fortinet Patches Critical Zero-Day Vulnerability Under Active Attack

What happened

On April 4, Fortinet disclosed CVE-2026-35616, a critical vulnerability with a 9.1 CVSS score affecting its FortiClient Endpoint Management Server (EMS) software. The flaw is an improper access control issue that allows unauthenticated attackers to bypass API authorization and execute arbitrary code through crafted requests. Fortinet confirmed active exploitation in the wild and released emergency hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6 over the holiday weekend. The vulnerability was discovered by researchers from Defused and reported to Fortinet. Security firm watchTowr detected the earliest exploitation attempts on March 31, with activity initially limited but ramping up after public disclosure. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 6, requiring federal agencies to patch by April 9. A proof-of-concept exploit has appeared on GitHub, though researchers have not yet verified it. Approximately 2,000 publicly exposed FortiClient EMS instances were identified through internet scans.

Why it matters

This represents the second actively exploited FortiClient EMS vulnerability in just over a month, following CVE-2026-21643 disclosed in early February. FortiClient EMS is used by organizations to centrally manage and secure both remote and office computers, making it a critical piece of infrastructure. The vulnerability's critical severity rating and pre-authentication nature means attackers require no credentials to exploit it. While current exploitation appears limited, the timing over a holiday weekend and rapid increase in activity following disclosure follows a common pattern where attackers exploit detection gaps during periods when security teams operate at reduced capacity. Fortinet products have become increasingly popular targets across the threat landscape, with CISA adding 10 Fortinet vulnerabilities to its KEV catalog since early 2025 alone. The relatively small internet-facing footprint of FortiClient EMS (roughly 100-2,000 exposed instances depending on methodology) may limit overall impact, but organizations running vulnerable versions face immediate risk of compromise.

Bigger picture

Fortinet products have faced sustained targeting by threat actors throughout 2025 and late 2024, with at least 24 Fortinet CVEs currently on CISA's KEV list, 13 linked to ransomware campaigns. Recent months saw exploitation of vulnerabilities across FortiCloud SSO (January), FortiSIEM (January), FortiOS/FortiWeb/FortiProxy/FortiSwitchManager (December), and FortiWeb (November). Government-backed groups from Russia and China have previously targeted vulnerable FortiClient EMS instances. In February, researchers discovered attackers using AI to compromise hundreds of FortiGate devices through weak credentials and exposed ports even without fresh CVEs. The pattern shows threat actors exploit Fortinet vulnerabilities rapidly after disclosure, often within days, and continue targeting older unpatched flaws. The network security vendor's widespread enterprise deployment makes its products high-value targets, while the frequency of critical vulnerabilities raises questions about secure development practices. Organizations running Fortinet infrastructure face elevated risk and must maintain aggressive patching cadences.

What to watch

Monitor whether exploitation expands beyond the single threat actor identified so far, particularly as proof-of-concept code circulates publicly. Track whether the upcoming FortiClient EMS 7.4.7 release arrives on schedule and whether Fortinet provides additional context about attacker identity or scope of compromises. Watch for potential connections between CVE-2026-35616 and CVE-2026-21643 exploitation, as both target the same product within weeks. Federal agencies must patch by April 9 per CISA's KEV deadline. Organizations should verify hotfix deployment and confirm no unauthorized access occurred before patching. Given historical patterns, watch for follow-on vulnerabilities in Fortinet products and whether attackers shift focus to other components of the vendor's portfolio. The limited internet-facing footprint suggests internally deployed instances may become targets if attackers gain initial network access through other means.

This article was generated by Quantli AI using publicly available news sources.