Fortinet Issues Emergency Patch for FortiClient Zero-Day

VULNERABILITIES & THREATS APPLICATION SECURITY CYBERATTACKS & DATA BREACHES CYBER RISK NEWS Fortinet Issues Emergency Patch for FortiClient Zero-Day The authentication bypass flaw, tracked as CVE-2026-35616, is the latest in a series of Fortinet vulnerabilities that have been exploited in the wild. Rob Wright,Senior News Director,Dark Reading April 6, 2026 3 Min Read SOURCE: SIPA USA VIA ALAMY STOCK PHOTO Fortinet deployed an emergency patch for yet another zero-day vulnerability that has been exploited in the wild. On Saturday, Fortinet disclosed CVE-2026-35616, which it described as an improper access control vulnerability in its FortiClient Endpoint Management Server (EMS) software. The critical flaw received a 9.1 CVSS score and, if exploited, can allow an unauthenticated attacker to execute code or commands through crafted requests.  In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the hotfix for FortiClient EMS versions 7.4.5 and 7.4.6. "Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely," the company said in the advisory. Fortinet credited Simo Kohonen, founder and CEO of cybersecurity vendor Defused, and security researcher Nguyen Duc Anh with discovering and reporting the flaw. It's unclear who's behind the attacks, but the exploitation appears to be limited, Kohonen tells Dark Reading, as the activity stemmed from a single exploit. Related:Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles The exploit zero-day flaw follows another FortiClient EMS vulnerability, tracked as CVE-2026-21643, that came under attack late last month. Defused spotted exploitation activity against the critical SQL injection flaw, which was first disclosed and patched on Feb. 6. So far, Kohonen says there are no signs over any overlapping threat activity for the two CVEs, adding, "We haven't seen the zero-day being exploited by anyone else except the original exploit so far (which is good news, as I bet many haven't patched yet due to weekend/holidays)." CVE-2026-35616 Exploitation Activity In a post on social media platform X, Defused described CVE-2026-35616 as a "pre-authentication API access bypass" that allows an attacker to sidestep API authorization entirely. The company said it discovered the flaw via its forthcoming Radar feature. "The Radar is basically a large-scale anomaly detector that tries to find zero-days and other interesting trends from the masses of honeypot data that we ingest," Kohonen explains. "The point is to surface interesting events, payloads, and such to Defused users, as the amount of raw events coming in is pretty large, even with all the filtering options we have." Kohonen says Radar, which will be publicly launched in the coming days, had previously flagged exploitation activity for CVE 2026-3055, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway. Related:Critical Flaw in Langflow AI Platform Under Attack The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on Monday. Federal civilian executive branch (FCEB) agencies, which typically have two weeks to patch or mitigate exploited flaws, must address the FortiClient zero-day by April 9. In a Tenable blog post published Monday, senior staff engineer Scott Caveza noted that a public proof-of-concept (PoC) exploit was identified on GitHub, though Tenable researchers have not yet verified it. "Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released," Caveza wrote. Attackers Pouncing on Fortinet Products Fortinet products have been increasingly popular targets for a broad range of threat actors, who often exploit disclosed vulnerabilities quickly, leaving organizations little time to patch.  In January, Fortinet confirmed that threat actors exploited a critical zero-day flaw that enabled them to log in to customer systems via FortiCloud's single sign-on (SSO) feature. Earlier that same month, CVE-2025-64155, a critical command-injection vulnerability in the vendor's FortiSIEM platform, came under widespread exploitation.  Related:Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw In early December, Fortinet disclosed two critical authentication bypass flaws in its FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products, one of which — CVE-2025-59718 — was added to CISA's KEV catalog about a week later. And in November, attackers exploited CVE-2025-64446, a critical path traversal flaw in the company's FortiWeb product line.   Threat actors target Fortinet products even when there aren't fresh CVEs to exploit. In February, researchers at Amazon Web Services discovered a threat actor had compromised hundreds of FortiGate devices using AI to take advantage of weak credentials, exposed ports, and other security gaps. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN More Webinars You May Also Like VULNERABILITIES & THREATS 'Semantic Chaining' Jailbreak Dupes Gemini Nano Banana, Grok 4 by Nate Nelson, Contributing Writer JAN 29, 2026 VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 VULNERABILITIES & THREATS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS by Alexander Culafi SEP 25, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE