CISA Warns of Fortinet 0-Day Vulnerability Actively Exploited in Attacks
Key Takeaways A critical zero-day vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild. The flaw, an improper access control issue,...
Key Takeaways
- A critical zero-day vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild.
- The flaw, an improper access control issue, allows unauthenticated attackers to achieve remote code execution (RCE) and privilege escalation.
- FortiClient EMS versions 7.4.5 and 7.4.6 are affected; version 7.2 is not vulnerable.
- Fortinet has released an emergency hotfix, and CISA has added the flaw to its KEV catalog, mandating rapid remediation for federal agencies.
CISA Issues Urgent Warning for Actively Exploited Fortinet EMS Zero-Day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an actively exploited zero-day vulnerability impacting FortiClient Enterprise Management Server (EMS). Identified as CVE-2026-35616, this improper access control flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as of April 6, 2026, signaling its immediate and severe threat.
Table Of Content
Technical Details of CVE-2026-35616
CVE-2026-35616 is a high-severity vulnerability, scoring 9.1 on the CVSS scale, categorized under CWE-284 (Improper Access Control). The flaw specifically targets FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet has confirmed that the 7.2 branch of the software remains unaffected.
The core of the vulnerability lies in a pre-authentication API access bypass. This critical design flaw enables attackers to escalate privileges without requiring any valid credentials, effectively granting them unauthorized access to the system.
According to Fortinet’s official advisory (FG-IR-26-099), an unauthenticated attacker can exploit this vulnerability by crafting specific HTTP requests. These requests bypass the API’s authentication and authorization mechanisms, leading to the execution of malicious code or commands. This capability provides threat actors with an unauthenticated remote code execution (RCE) primitive against exposed EMS deployments.
Discovery and In-the-Wild Exploitation
Active exploitation of this zero-day was first documented on March 31, 2026, when security firm watchTowr observed attempts against its honeypots. The vulnerability was responsibly discovered and reported by security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh. Fortinet promptly confirmed the in-the-wild exploitation in an emergency advisory, urging vulnerable customers to apply the available hotfix for FortiClient EMS 7.4.5 and 7.4.6.
The swift response from Fortinet, following Defused Cyber’s public disclosure, underscores the urgency of this threat. This incident marks the second critical EMS vulnerability to be exploited within a few weeks, raising significant concerns about the security posture of internet-facing FortiClient EMS deployments.
Impact of Successful Exploitation
A successful exploit of CVE-2026-35616 grants attackers extensive capabilities, including:
- Bypassing API authentication and authorization controls without requiring any credentials, as detailed by Cyberleveling.
- Executing unauthorized code or commands remotely through specially crafted requests, as highlighted by NIST’s NVD.
- Potentially establishing an initial foothold within the target network, which could facilitate lateral movement or the deployment of additional malware, according to Security Affairs.
- Escalating privileges within the EMS environment, thereby compromising connected endpoint clients, as reported by CDO Times.
The inherent need for the EMS telemetry endpoint to be internet-accessible, facilitating communication with enrolled endpoints, significantly broadens the attack surface for this particular vulnerability.
Mandated Remediation and Global Exposure
CISA’s inclusion of CVE-2026-35616 in its KEV catalog, under Binding Operational Directive (BOD) 22-01, mandates that all U.S. federal civilian executive branch agencies apply necessary mitigations by April 9, 2026. This tight three-day remediation window underscores the critical nature of the active exploitation.
The Shadowserver Foundation has also issued an urgent advisory to administrators of FortiClient EMS, identifying over 2,000 publicly accessible instances globally. They have confirmed active exploitation of critical unauthenticated remote code execution vulnerabilities in at least two of these instances.
What You Should Do
- Immediately apply the hotfix provided by Fortinet for FortiClient EMS versions 7.4.5 and 7.4.6.
- If immediate patching is not feasible, restrict network access to the FortiClient EMS telemetry endpoint to only trusted IP addresses.
- Monitor your FortiClient EMS deployments for any signs of compromise or unusual activity.
- Review network logs for suspicious HTTP requests targeting your EMS instances.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.