New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems
Fortinet warns of a critical FortiClient EMS zero-day vulnerability that is currently being exploited, allowing attackers to ...
Fortinet has issued emergency patches for a critical zero-day vulnerability in its FortiClient Endpoint Management Server (EMS) that is actively being exploited in the wild. The flaw, tracked as CVE-2026-35616, carries a CVSS score of 9.1 and allows unauthenticated attackers to bypass authentication and execute arbitrary code via crafted HTTP requests.
What Happened
On April 5, Fortinet released a hotfix for FortiClient EMS versions 7.4.5 and 7.4.6. The vulnerability lets remote attackers run unauthorized code without any credentials. Finnish threat intelligence firm Defused disclosed the flaw and credited Fortinet for fast response, noting the hotfix was pushed out over the Easter holiday weekend.
Scope of Exposure
The Shadowserver Foundation identified roughly 2,000 FortiClient EMS instances exposed on the internet, with the largest concentrations in the United States and Germany. It remains unclear how many have installed the hotfix. Attackers had already begun probing vulnerable servers as early as Tuesday before the holiday weekend, with sustained exploitation starting on Good Friday.
Not an Isolated Problem
This zero-day is the second critical FortiClient EMS flaw disclosed this year. CVE-2026-21643, another CVSS 9.1 SQL injection vulnerability, was patched in February after active exploitation was confirmed. Edge devices remain prime targets because they sit on the network perimeter and are often slow to patch. According to Cisco Talos, roughly a third of the top 100 most exploited vulnerabilities in 2025 were over a decade old.
WAFplanet Take
Fortinet's quick turnaround on a holiday-weekend hotfix deserves credit, but the pattern is getting familiar. Two critical zero-days in the same product within two months suggests deeper code quality issues that a hotfix cycle cannot fully address. Organizations running FortiWeb or other Fortinet products should audit their exposure immediately. If you run FortiClient EMS, treat this as a patch-now situation. Holiday exploit windows are a well-worn playbook and defenders need to stop being surprised by them.
