Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
Home/CyberSecurity News/CISA Warns of Fortinet 0-Day Vulnerability Actively Exploited in Attacks
CyberSecurity News

CISA Warns of Fortinet 0-Day Vulnerability Actively Exploited in Attacks

Key Takeaways A critical zero-day vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild. The flaw, an improper access control issue,...

Emy Elsamnoudy
Emy Elsamnoudy
April 6, 2026 3 Min Read
29 0

Key Takeaways

  • A critical zero-day vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild.
  • The flaw, an improper access control issue, allows unauthenticated attackers to achieve remote code execution (RCE) and privilege escalation.
  • FortiClient EMS versions 7.4.5 and 7.4.6 are affected; version 7.2 is not vulnerable.
  • Fortinet has released an emergency hotfix, and CISA has added the flaw to its KEV catalog, mandating rapid remediation for federal agencies.

CISA Issues Urgent Warning for Actively Exploited Fortinet EMS Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an actively exploited zero-day vulnerability impacting FortiClient Enterprise Management Server (EMS). Identified as CVE-2026-35616, this improper access control flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as of April 6, 2026, signaling its immediate and severe threat.

Table Of Content

  • Key Takeaways
  • CISA Issues Urgent Warning for Actively Exploited Fortinet EMS Zero-Day
  • Technical Details of CVE-2026-35616
  • Discovery and In-the-Wild Exploitation
  • Impact of Successful Exploitation
  • Mandated Remediation and Global Exposure
  • What You Should Do

Technical Details of CVE-2026-35616

CVE-2026-35616 is a high-severity vulnerability, scoring 9.1 on the CVSS scale, categorized under CWE-284 (Improper Access Control). The flaw specifically targets FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet has confirmed that the 7.2 branch of the software remains unaffected.

The core of the vulnerability lies in a pre-authentication API access bypass. This critical design flaw enables attackers to escalate privileges without requiring any valid credentials, effectively granting them unauthorized access to the system.

According to Fortinet’s official advisory (FG-IR-26-099), an unauthenticated attacker can exploit this vulnerability by crafting specific HTTP requests. These requests bypass the API’s authentication and authorization mechanisms, leading to the execution of malicious code or commands. This capability provides threat actors with an unauthenticated remote code execution (RCE) primitive against exposed EMS deployments.

Discovery and In-the-Wild Exploitation

Active exploitation of this zero-day was first documented on March 31, 2026, when security firm watchTowr observed attempts against its honeypots. The vulnerability was responsibly discovered and reported by security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh. Fortinet promptly confirmed the in-the-wild exploitation in an emergency advisory, urging vulnerable customers to apply the available hotfix for FortiClient EMS 7.4.5 and 7.4.6.

The swift response from Fortinet, following Defused Cyber’s public disclosure, underscores the urgency of this threat. This incident marks the second critical EMS vulnerability to be exploited within a few weeks, raising significant concerns about the security posture of internet-facing FortiClient EMS deployments.

Impact of Successful Exploitation

A successful exploit of CVE-2026-35616 grants attackers extensive capabilities, including:

  • Bypassing API authentication and authorization controls without requiring any credentials, as detailed by Cyberleveling.
  • Executing unauthorized code or commands remotely through specially crafted requests, as highlighted by NIST’s NVD.
  • Potentially establishing an initial foothold within the target network, which could facilitate lateral movement or the deployment of additional malware, according to Security Affairs.
  • Escalating privileges within the EMS environment, thereby compromising connected endpoint clients, as reported by CDO Times.

The inherent need for the EMS telemetry endpoint to be internet-accessible, facilitating communication with enrolled endpoints, significantly broadens the attack surface for this particular vulnerability.

Mandated Remediation and Global Exposure

CISA’s inclusion of CVE-2026-35616 in its KEV catalog, under Binding Operational Directive (BOD) 22-01, mandates that all U.S. federal civilian executive branch agencies apply necessary mitigations by April 9, 2026. This tight three-day remediation window underscores the critical nature of the active exploitation.

The Shadowserver Foundation has also issued an urgent advisory to administrators of FortiClient EMS, identifying over 2,000 publicly accessible instances globally. They have confirmed active exploitation of critical unauthenticated remote code execution vulnerabilities in at least two of these instances.

What You Should Do

  • Immediately apply the hotfix provided by Fortinet for FortiClient EMS versions 7.4.5 and 7.4.6.
  • If immediate patching is not feasible, restrict network access to the FortiClient EMS telemetry endpoint to only trusted IP addresses.
  • Monitor your FortiClient EMS deployments for any signs of compromise or unusual activity.
  • Review network logs for suspicious HTTP requests targeting your EMS instances.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitMalwareSecurityThreatVulnerabilityzero-day

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Drift Protocol Loses $286M in Suspected North Korean Cyberattack

Next Post

Windows Defender RCE: Critical CVE-2023-21752 Lets Attackers Gain Full Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us