Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
Home/CyberSecurity News/Critical Fortinet FortiClient EMS 0-Day Actively Exploited via CVE-2023-48788
CyberSecurity News

Critical Fortinet FortiClient EMS 0-Day Actively Exploited via CVE-2023-48788

Key Takeaways A critical zero-day vulnerability (CVE-2026-35616) in Fortinet FortiClient EMS is under active exploitation. The flaw allows unauthenticated attackers to bypass API authentication,...

Jennifer sherman
Jennifer sherman
April 4, 2026 3 Min Read
27 0

Key Takeaways

  • A critical zero-day vulnerability (CVE-2026-35616) in Fortinet FortiClient EMS is under active exploitation.
  • The flaw allows unauthenticated attackers to bypass API authentication, leading to arbitrary code execution.
  • FortiClient EMS versions 7.4.5 and 7.4.6 are affected; emergency hotfixes are available.
  • The vulnerability carries a CVSSv3 score of 9.1 (Critical).

Fortinet has rapidly deployed an emergency hotfix to address a critical zero-day vulnerability within its FortiClient EMS product. This flaw, which allows unauthenticated attackers to bypass API security controls, is already being actively exploited in the wild, prompting an urgent call for users to patch their systems.

Table Of Content

  • Key Takeaways
  • Critical Zero-Day Under Active Exploitation
  • Affected Versions and Discovery
  • What You Should Do

Critical Zero-Day Under Active Exploitation

Designated as CVE-2026-35616, this critical vulnerability boasts a CVSSv3 score of 9.1, indicating its severe impact. The weakness allows threat actors to completely circumvent API authentication and authorization mechanisms in the FortiClient Endpoint Management Server (EMS), enabling them to execute arbitrary commands or code on vulnerable systems.

The vulnerability, categorized as CWE-284 (Improper Access Control), specifically affects the API layer of the FortiClient EMS. Its dangerous nature stems from the fact that successful exploitation requires no prior authentication, user interaction, or elevated privileges, posing a significant risk to organizations with internet-facing EMS deployments.

An attacker can leverage specially crafted API requests to bypass all security checks, thereby gaining full control over endpoint management operations. The attack vector is network-based and low in complexity. The potential impact spans confidentiality, integrity, and availability, directly contributing to its near-maximum CVSS rating.

According to Fortinet’s advisory (FG-IR-26-099), the primary consequence of this vulnerability is privilege escalation, with the vendor confirming active exploitation.

Affected Versions and Discovery

Only FortiClient EMS versions 7.4.5 and 7.4.6 are susceptible to this vulnerability. FortiClient EMS 7.2.x is not affected and does not require immediate action related to this specific CVE. While a permanent fix will be integrated into the upcoming FortiClient EMS 7.4.7 release, Fortinet has made emergency hotfixes immediately available for the currently affected branches.

The vulnerability was independently discovered by Simo Kohonen from the threat intelligence firm Defused and researcher Nguyen Duc Anh. Defused identified active in-the-wild exploitation earlier this week and promptly reported it to Fortinet through responsible disclosure protocols. This discovery was facilitated by Defused’s forthcoming Radar feature, which aims to detect novel exploitation activities in real-time.

🚨 New Fortinet vulnerability being exploited as an 0-day

CVE-2026-35616 – FortiClient EMS pre-authentication API access bypass – CVSS 9.1 Critical

After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under… pic.twitter.com/GUk5fCAx91

— Defused (@DefusedCyber) April 4, 2026

Fortinet responded swiftly to the report, publishing its advisory and releasing the emergency hotfix on April 4, 2026, the very same day the vulnerability was initially reported.

What You Should Do

  • Apply Hotfixes Immediately: Fortinet strongly advises all customers running affected FortiClient EMS versions (7.4.5 and 7.4.6) to apply the emergency hotfixes without delay. Refer to the official release notes for detailed installation instructions:
    • For FortiClient EMS 7.4.5, consult the 7.4.5 EMS release notes on the Fortinet documentation portal.
    • For FortiClient EMS 7.4.6, consult the 7.4.6 EMS release notes on the Fortinet documentation portal.
  • Monitor Logs: Organizations should actively monitor their EMS logs for any unusual API activity, especially unauthenticated requests, which could signal attempted or successful exploitation.
  • Restrict External Access: Where feasible, limit external access to the EMS management interface at the network perimeter. This adds a crucial layer of defense until patches are fully deployed across the environment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Progress ShareFile Flaws Let Attackers Hijack Servers Remotely

Next Post

Google DeepMind: Malicious Web Content Hijacks AI Agents

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us