Attackers Target Zero-Day Flaw in Fortinet Security Software

Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management Attackers Target Zero-Day Flaw in Fortinet Security Software Vendor Issues Hotfix for Critical Flaw in FortiClient Endpoint Management Server Mathew J. Schwartz (euroinfosec) • April 6, 2026     Credit Eligible Get Permission Image: Shutterstock Firewall mainstay Fortinet rushed out emergency patches Sunday while warning that hackers are actively targeting two critical flaws, including a zero-day flaw, to remotely execute code and commands. See Also: On Demand | From Patch to Prevention: Modernizing Remediation Across Hybrid Environments The vendor on Saturday issued a hotfix for the zero-day flaw, tracked as CVE-2026-35616, in its FortiClient Endpoint Management Server. "Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6," it said. The next version will also include a fix, but "in the meantime, the hotfix above is sufficient" to stop the attacks, it said. Security teams use EMS to centrally administer endpoints such as laptops and mobile devices. The server software ties devices running the FortiClient software with the Fortinet Security Fabric, which provides endpoint protection, secure VPN access and enforces Zero Trust network access. The now hot-patched zero day allows an unauthenticated attacker to bypass authentication and authorization and to execute "unauthorized code or commands via crafted requests," said Finnish threat intelligence startup Defused in a Saturday post to social platform X. The firm disclosed the flaw to Fortinet. The Shadowserver Foundation, a nonprofit cybersecurity organization, said Sunday that it's fingerprinted about 2,000 instances of FortiClient EMS exposed on the internet, with the greatest number being in the United States and Germany. How many have installed the hotfix isn't clear. The organization warned that attackers are actively targeting FortiClient EMS servers that lack the hotpatch or are missing an earlier FortiClient flaw tracked as CVE-2026-21643, which also has a CVSS rating of 9.1. Fortinet first patched CVE-2026-21643 on Feb. 6, warning at the time that it was already being actively exploited in the wild. The vendor said an unauthenticated attacker can exploit CVE-2026-21643 in FortiClient EMS "to execute unauthorized code or commands via specifically crafted HTTP requests" to perpetrate a SQL injection attack and run arbitrary code. Benjamin Harris, CEO and founder of threat intelligence firm watchTowr, said its honeypot data suggests the first probes tied to the latest, zero-day vulnerability began Tuesday. Sustained attacks started three days later at the beginning of the Easter holiday weekend, on Good Friday. "The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental. Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity," Harris said (see: Holiday Hits: Hackers Love to Strike When Defenders Are Away). Fortinet moved quickly to respond to the flaw. "This is a zero-day. While there is no full patch, we have to give credit where credit is due: Fortinet has rushed out a hotfix over a holiday weekend, which reflects how urgently the company is treating this," Harris said. Edge devices are recurring targets for criminal and nation-state hackers. "Exploitation consistently favors edge devices because they are internet-facing, often lag in patching and provide direct operational leverage once compromised," says the latest annual threat report from Cisco Talos. Flaw disclosure and patch development ironically lead to higher volumes of edge device attacks than when a vulnerability was a closely-guarded zero-day secret. Talos reported that roughly a third of the top 100 vulnerabilities most targeted by attackers last year were flaws that were already 10 years old or more. "Many older CVEs - like those affecting VPNs, web servers and firewalls - provide direct initial access to a network. For example, CVE-2018-13379 (Fortinet), CVE-2019-11510 (Pulse Secure) and CVE-2020-5902 (F5 BIG-IP) are all over five years old but were still actively targeted in 2025 because they provide immediate, remote access," Talos said.