Attackers exploited this critical FortiClient EMS bug as a 0-day

CISA added the flaw to KEV after Fortinet confirmed exploitation in the wild

by · The Register

Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31.

The flaw, tracked as CVE-2026-35616, is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. It earned a critical 9.1 CVSS rating, and in addition to urging customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, the firewall vendor also warned that it has "observed this to be exploited in the wild."

This product allows companies to centrally manage and secure both remote and office computers, and this bug is the second critical FortiClient flaw to come under attack in the past few weeks. In late March, security researchers warned that CVE-2026-21643, which also leads to unauthenticated remote code execution, was being actively exploited in the wild.

On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog, and set a Thursday deadline for all federal agencies to apply the patch. 

The Register asked Fortinet for more details about who was abusing the security hole, and how many customers had been affected. While the security software company declined to answer our specific questions, a Fortinet spokesperson told The Register that "Our PSIRT response and remediation efforts remain ongoing," and "we are communicating directly with customers to advise on any necessary actions."

In the past, government-backed goons from Russia and China have targeted vulnerable FortiClient EMS instances.

The good news, according to VulnCheck VP of security research Caitlin Condon, is that "FortiClient EMS has a relatively small internet-facing footprint." Condon told The Register that her team's analysis observed about 100 internet-exposed instances.

WatchTowr CEO Benjamin Harris told us over the weekend that his security shop's honeypot infrastructure first captured attackers attempting to exploit CVE-2026-35616 on March 31.

On Monday, Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told The Register that the initial behavior "represented careful, 'low and slow' exploitation."

But he added that quickly picked up. "As we regularly see when zero-days are rumbled, exploitation stops being quiet and targeted - with a clear shift to leverage their zero-day opportunistically and as indiscriminately as possible before patches begin to be applied," Dewhurst said. "We've said it before and we'll say it again when exploitation in-the-wild becomes rife: the best time to apply the hotfix was yesterday, and the second best time is right now." ®

Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others: And then they send victims to the legit VPN download to hide their tracksJessica Lyons, 13 Mar 2026Fortinet admits FortiGate SSO bug still exploitable despite December patch: Fix didn't quite do the job – attackers spotted logging inCarly Page, 23 Jan 2026Russia's Sandworm caught snarfing credentials, data from American and Brit orgs'Near-global' initial access campaign active since 2021Jessica Lyons, 12 Feb 2025Salt Typhoon's surge extends far beyond US telcosPlus, a brand-new backdoor, GhostSpider, is linked to the cyber spy crew's operationsJessica Lyons, 27 Nov 2024