Fortinet Rushes Emergency Fixes for Exploited Zero-Day - SecurityWeek

Fortinet over the weekend rushed emergency fixes for a FortiClient Enterprise Management Server (EMS) vulnerability that has been exploited as a zero-day. Described as an improper access control issue, the critical-severity flaw is tracked as CVE-2026-35616 (CVSS score of 9.1) and could be exploited for remote code execution (RCE). According to Fortinet’s advisory, remote attackers could send crafted requests to a vulnerable FortiClient EMS to trigger the bug. Successful exploitation does not require authentication, it says. “Fortinet has observed this to be exploited in the wild,” the company warned. On Saturday, Fortinet announced the availability of hotfixes to address the security defect in FortiClient EMS versions 7.4.5 and 7.4.6, noting that version 7.2 is not affected. The company also published detailed instructions on how to download and apply the hotfixes for both FortiClient EMS 7.4.5 and 7.4.6, and on how to verify that the hotfixes have been applied. “Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely,” Fortinet said. The company credited “Defused” for finding and reporting the flaw. According to the cybersecurity firm, the vulnerability allows unauthenticated attackers to bypass API authentication and authorization. “After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under responsible disclosure,” the cybersecurity company said on Saturday. Non-profit organization The Shadowserver Foundation says it has observed approximately 2,000 FortiClient EMS instances that are accessible from the internet. These instances, it notes, are potentially exposed to attacks exploiting the new zero-day, as well as CVE-2026-21643, a recently patched SQL injection that has been exploited for over a week. Attack surface management firm WatchTowr says it has observed exploitation activity starting March 31, “in what appeared to be early probes ahead of a full ramp-up”. “What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks. So, once again, organizations running FortiClient EMS and exposed to the internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start,” WatchTowr CEO and founder Benjamin Harris said. On Monday, the US cybersecurity agency CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by April 9. *Updated with additional information from WatchTowr and to mention the CVE’s inclusion in the KEV list. Related: TrueConf Zero-Day Exploited in Asian Government Attacks Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire React2Shell Exploited in Large-Scale Credential Harvesting Campaign North Korean Hackers Drain $285 Million From Drift in 10 Seconds Cisco Patches Critical and High-Severity Vulnerabilities 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital Mercor Hit by LiteLLM Supply Chain Attack Sophisticated CrystalX RAT Emerges Linx Security Raises $50 Million for Identity Security and Governance Depthfirst Raises $80 Million in Series B Funding Latest News Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Google DeepMind Researchers Map Web Attacks Against AI Agents Guardarian Users Targeted With Malicious Strapi NPM Packages North Korean Hackers Target High-Profile Node.js Maintainers European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack TrueConf Zero-Day Exploited in Asian Government Attacks In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware Critical ShareFile Flaws Lead to Unauthenticated RCE Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. Kai has named Nick Degnan as Chief Revenue Officer. Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email