Fortinet has deployed an emergency patch to address CVE-2026-35616, a critical zero-day vulnerability in its FortiClient Endpoint Management Server (EMS) software that threat actors have actively targeted in the wild.
Disclosed on Saturday, the vulnerability is categorized as an improper access control issue and carries a CVSS score of 9.1. Left unpatched, it enables an unauthenticated unauthorized party to execute code or commands through crafted requests.
In a security advisory, Fortinet confirmed that unauthorized activity has occurred and advised customers to install the hotfix for FortiClient EMS versions 7.4.5 and 7.4.6 immediately. Fortinet noted that the upcoming FortiClient EMS 7.4.7 release will include the standard fix, but the hotfix fully prevents unauthorized access in the interim.
Security researcher Nguyen Duc Anh and Simo Kohonen, founder and CEO of Defused, discovered and reported the vulnerability. At this stage, unauthorized activity appears limited to a single source.
This vulnerability follows another recent FortiClient EMS security flaw, CVE-2026-21643. Defused researchers identified unauthorized access attempts against that critical SQL injection vulnerability late last month after its disclosure and patch on February 6. Kohonen reported no visible overlap in threat activity between the two vulnerabilities, noting that activity for the newer zero-day remains isolated to the original access method.
Technical details and discovery
Defused categorized CVE-2026-35616 as a "pre-authentication API access bypass" that allows an unauthorized party to entirely circumvent API authorization. The security firm identified the vulnerability using its Radar feature, a large-scale anomaly detector designed to surface new vulnerabilities and trends from honeypot data. Radar previously identified targeting activity for CVE-2026-3055, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian executive branch (FCEB) agencies have until April 9 to remediate the vulnerability.
Also on Monday, Tenable senior staff engineer Scott Caveza noted the presence of a public proof-of-concept on GitHub. While Tenable researchers have not yet verified the code, Caveza advised that unauthorized activity will likely increase as access methods become public.
Historical targeting of Fortinet environments
Threat actors consistently target Fortinet infrastructure, requiring organizations to maintain strict patching cadences.
In January, threat actors targeted a critical zero-day vulnerability to gain access to customer systems through the FortiCloud single sign-on (SSO) feature. During the same month, threat actors widely targeted CVE-2025-64155, a critical command-injection vulnerability in FortiSIEM.
In early December, Fortinet disclosed two critical authentication bypass vulnerabilities affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. One of these, CVE-2025-59718, was added to CISA's KEV catalog shortly after. In November, unauthorized parties targeted CVE-2025-64446, a critical path traversal vulnerability in FortiWeb.
Threat actors also focus on existing misconfigurations. In February, Amazon Web Services researchers found that a threat actor had gained unauthorized access to hundreds of FortiGate devices by using AI to identify weak credentials, exposed ports, and related security gaps.
(Note: The original article detailing these events was authored by Rob Wright, Senior News Director at Dark Reading.)