Fortinet Discloses Critical Zero-Day in FortiClient EMS
Fortinet issued an emergency patch on Saturday for a newly discovered zero-day vulnerability affecting its FortiClient Endpoint Management Server (EMS) software. The flaw, tracked as CVE-2026-35616, is classified as an improper access control vulnerability and carries a critical CVSS score of 9.1. Successful exploitation allows an unauthenticated attacker to execute arbitrary code or commands by sending specially crafted requests to a vulnerable server.
In its official security advisory, Fortinet confirmed that the vulnerability has already been exploited in the wild and strongly urged customers to apply the available hotfix for FortiClient EMS versions 7.4.5 and 7.4.6 without delay. The company noted that an upcoming FortiClientEMS 7.4.7 release will also incorporate a permanent fix. "Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely," the advisory stated.
Who Found the Flaw — and How
Fortinet credited two researchers with discovering and reporting the vulnerability: Simo Kohonen, founder and CEO of cybersecurity firm Defused, and security researcher Nguyen Duc Anh. According to Kohonen, the exploitation activity observed so far appears limited, stemming from a single exploit rather than widespread campaigns.
In a post on X (formerly Twitter), Defused described CVE-2026-35616 as a pre-authentication API access bypass — a mechanism that lets an attacker completely sidestep API authorization controls without any credentials. The company said it uncovered the flaw through its forthcoming Radar feature, an anomaly detection system that analyzes large volumes of honeypot data to surface unusual events and potential zero-days.
"The Radar is basically a large-scale anomaly detector that tries to find zero-days and other interesting trends from the masses of honeypot data that we ingest. The point is to surface interesting events, payloads, and such to Defused users, as the amount of raw events coming in is pretty large, even with all the filtering options we have." — Simo Kohonen, Defused
Kohonen noted that Radar, set for public launch in the coming days, had previously flagged exploitation activity targeting CVE-2026-3055, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
Limited Exploitation — For Now
While active exploitation has been confirmed, Kohonen indicated the scope remains narrow. "We haven't seen the zero-day being exploited by anyone else except the original exploit so far (which is good news, as I bet many haven't patched yet due to weekend/holidays)," he told Dark Reading. The identity of the threat actor behind the attacks has not been established.
CVE-2026-35616 follows closely on the heels of another FortiClient EMS vulnerability — CVE-2026-21643 — a critical SQL injection flaw first disclosed and patched on February 6, which came under active attack late last month. Defused detected that exploitation as well. Kohonen stated there are currently no signs of overlapping threat activity between the two CVEs.
CISA Acts; Federal Agencies Face April 9 Deadline
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on Monday. Under standard CISA timelines, Federal Civilian Executive Branch (FCEB) agencies must remediate the flaw or apply appropriate mitigations by April 9.
Security firm Tenable also weighed in on Monday, with senior staff engineer Scott Caveza noting in a blog post that a public proof-of-concept (PoC) exploit had been identified on GitHub, though Tenable researchers had not yet independently verified it. Caveza warned that the risk of broader exploitation is real: "Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released."
A Growing Pattern of Attacks Against Fortinet Products
CVE-2026-35616 is only the latest entry in a long string of exploited Fortinet vulnerabilities that have kept security teams scrambling over the past several months. Fortinet products have become attractive, high-value targets for a wide spectrum of threat actors who routinely weaponize newly disclosed flaws before organizations can deploy patches.
- In January 2026, Fortinet confirmed that attackers had exploited a critical zero-day allowing login to customer systems via FortiCloud's single sign-on (SSO) feature.
- Also in January, CVE-2025-64155, a critical command-injection flaw in the FortiSIEM platform, came under widespread exploitation.
- In early December 2025, Fortinet disclosed two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. One of these — CVE-2025-59718 — was added to CISA's KEV catalog approximately one week after disclosure.
- In November 2025, attackers exploited CVE-2025-64446, a critical path traversal vulnerability in Fortinet's FortiWeb product line.
Threat actors have also targeted Fortinet infrastructure even in the absence of new CVEs. In February 2026, researchers at Amazon Web Services uncovered a campaign in which a threat actor used AI-assisted techniques to compromise hundreds of FortiGate devices by exploiting weak credentials, exposed ports, and other security misconfigurations.
Recommended Actions for Organizations
Fortinet customers running affected versions of FortiClient EMS should treat this as an urgent remediation priority. The following steps are recommended:
- Apply the available hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately.
- Plan to upgrade to FortiClientEMS 7.4.7 once it becomes available for a permanent fix.
- Monitor for anomalous API requests or unauthenticated activity against EMS infrastructure.
- Review CISA's KEV catalog regularly and prioritize patching of listed vulnerabilities within mandated timeframes.
Given the accelerating pace at which threat actors have targeted Fortinet products, organizations should not wait for automated patch cycles. The combination of a publicly available PoC exploit and confirmed in-the-wild exploitation creates a narrow window before attacks escalate in frequency and sophistication.
Source: Dark Reading