New Fortinet Zero-Day Warning—Update Now, Attacks Underway - Forbes

InnovationCybersecurity New Fortinet Zero-Day Warning—Update Now, Attacks Underway ByDavey Winder, Senior Contributor. Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst. Follow Author Apr 06, 2026, 08:33am EDTApr 07, 2026, 07:43am EDT --:-- / --:-- This voice experience is generated by AI. Learn more. This voice experience is generated by AI. Learn more. Fortinet issues emergency update as zero-day attack confirmed. NurPhoto via Getty Images Updated April 7: Following confirmation of a critical new zero-day Fortinet vulnerability, with attacks already underway, the U.S. Cybersecurity and Infrastructure Security Agency has now given certain federal agencies just days to apply the patch or stop using the affected systems. An April 4 Fortinet security advisory has confirmed that an improper access control vulnerability, impacting the FortiClient Endpoint Management Server, can allow an unauthenticated hacker to execute unauthorized code. If that sounds serious to you, that’s because it is. But it gets worse: Fortinet has also confirmed that CVE-2026-35616 is already being exploited in the wild by attackers. Yes, this is another zero-day headache for already-stressed system administrators. As a result, Fortinet has urged “vulnerable customers to install the hotfix for FortiClientEMS 7.4.5 and 7.4.6.” Here’s what we know and what you need to do. ForbesNew Password Stealer Bypasses 2FA—Chrome, Edge And Firefox TargetedBy Davey Winder PROMOTED Not all zero-day vulnerabilities are critical in nature, especially when a patch is automatically rolled out, such as with the latest Chrome 0-day security fix. Obviously, your enterprise risk assessments will come into play to determine the exact nature of the threat to your organization, but when the zero-day inquisition comes with a Common Vulnerability Scoring System severity rating of 9.1 out of 10, the necessity for urgent assessment increases. And that’s the case here, as Fortinet has made quite clear with the security advisory and associated emergency security update. According to the Vulners vulnerability database, the CVE-2026-35616 zero-day has been given that critical status as it employs a network attack vector, has a low attack complexity assessment with no privileges required, and the impact to confidentiality, integrity, and availability demands such a rating. MORE FOR YOU The zero-day vulnerability, which Fortinet credited cybersecurity experts at Defused for the discovery and responsible disclosure, is a “pre-authentication API access bypass,” Defused confirmed, and enables an attacker to not only “bypass API authentication and authorization entirely,” but execute “unauthorized code or commands via crafted requests.” So critical is this security issue that the Cybersecurity and Infrastructure Security Agency, which calls itself America's Cyber Defense Agency and is tasked as the national coordinator for critical infrastructure security and resilience, has not only added CVE-2026-35616 to the Known Exploited Vulnerabilities database but, under Binding Operational Directive 22-01, ordered Federal Civilian Executive Branch agencies to apply the update or stop using the services by Friday, April 10. While Fortinet has stated that the forthcoming FortiClientEMS version 7.4.7 will include a fix for CVE-2026-35616, it has also issued an emergency hotfix security update, which, the company said, “is sufficient to prevent it entirely.” Full instructions for applying the Fortinet hotfix can be found here for FortiClientEMS version 7.4.5, and here for FortiClientEMS version 7.4.6. You know what to do. ForbesLinkedIn Account Attack Alert Issued For 1.2 Billion UsersBy Davey Winder Editorial StandardsReprints & Permissions Find Davey Winder on LinkedIn and X. Visit Davey's website. Browse additional work. Follow Author LOADING VIDEO PLAYER... FORBES’ FEATURED Video