Attackers Exploit Zero-Day Vulnerability in Fortinet Security Software

Fortinet has initiated an urgent response to a significant security threat by releasing emergency patches in light of ongoing attempts by hackers to exploit two critical vulnerabilities, including a zero-day flaw. This flaw allows for remote code execution, posing a severe risk to organizations using FortiClient Endpoint Management Server (EMS).

On April 5, 2026, the company introduced a hotfix for the zero-day vulnerability, identified as CVE-2026-35616. Fortinet explicitly noted that this flaw had been actively exploited in the field and has urged clients using versions 7.4.5 and 7.4.6 of FortiClient EMS to apply the patch without delay.

Through the EMS software, security teams can centrally manage endpoints, such as laptops and mobile devices. This system integrates devices running the FortiClient software with Fortinet’s Security Fabric, which is designed to ensure endpoint protection and enforce Zero Trust protocols for network access.

The vulnerability facilitates authentication and authorization bypass for unauthenticated attackers, allowing for unauthorized code execution through crafted requests. This alarming development was highlighted by Finnish threat intelligence firm Defused, which communicated the vulnerability to Fortinet shortly after its discovery.

The Shadowserver Foundation reported that approximately 2,000 instances of FortiClient EMS are discoverable online, predominantly in the United States and Germany. The extent to which organizations have applied the provided hotfix remains unclear, raising concerns about unprotected systems.

Fortinet’s earlier identification of another severe flaw, tracked as CVE-2026-21643, also heightened risks. This vulnerability, patched in early February, similarly allows for execution of unauthorized code via crafted HTTP requests. Notably, both vulnerabilities have received a high Common Vulnerability Scoring System (CVSS) rating of 9.1, marking them as critical threats.

Benjamin Harris, CEO of the threat intelligence firm watchTowr, remarked that probing activity related to the recent zero-day flaw began shortly before the holiday weekend, culminating in a surge of attacks timed with lower staff availability and vigilance during the Easter period. Criminal actors often exploit such holidays to capitalize on reduced operational capacities within security teams.

Fortinet’s swift action reflects the urgency of this zero-day threat. While a comprehensive solution is yet to be deployed, the immediate hotfix is a critical stopgap measure. Edge devices frequently face such vulnerabilities due to their internet-facing nature, and Cisco Talos’ annual threat report highlights that older vulnerabilities continue to be actively targeted due to their potential for immediate network access.

This incident emphasizes the importance of continuous monitoring and timely patch management in defending against potential intrusions. As businesses increasingly depend on networked security solutions, maintaining robust protocols against exploited vulnerabilities remains paramount.