What if your endpoint manager could be hijacked without a password?
Fortinet Zero Day Vulnerability (CVE-2026-35616) is a critical authentication bypass in FortiClient EMS that lets unauthenticated attackers run code remotely, and Fortinet confirmed active exploitation starting March 31, 2026.
It affects EMS 7.4.5 and 7.4.6 and leaves thousands of internet-exposed instances at risk, so admins, security teams, and federal agencies must act.
Apply Fortinet hotfixes now or block EMS from the public internet; CISA set an April 9 remediation deadline for federal agencies.

Immediate Details on the Latest Fortinet Zero‑Day Vulnerabilities

CVE-2026-35616 is a critical authentication bypass in FortiClient Enterprise Management Server (EMS) scoring 9.1 on the CVSS scale. Unauthenticated attackers can execute code remotely by sending crafted API requests that skip authentication and authorization entirely. Fortinet confirmed it was exploited in the wild before disclosure, with early attacks spotted starting March 31, 2026.

The zero-day hits FortiClient EMS versions 7.4.5 and 7.4.6. Version 7.2 isn’t affected. Security researchers caught it through honeypot networks and found roughly 2,000 FortiClient EMS instances sitting exposed on the public internet. That’s a big attack surface. CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog and set a hard deadline: federal agencies must patch or mitigate by April 9, 2026.

This comes just weeks after CVE-2026-21643, another critical FortiClient EMS flaw. That SQL injection bug was disclosed February 6, 2026, and attackers went after it for over a week. Organizations running FortiClient EMS might be vulnerable to both at once, which makes things worse.

Quick breakdown:

• CVE-2026-35616: broken access control in FortiClient EMS API; lets attackers run code without logging in
• Affected versions: only 7.4.5 and 7.4.6
• Severity: CVSS 9.1 (critical)
• Exploitation status: confirmed real-world attacks; public proof-of-concept posted on GitHub
• Discovery: external researchers; threat platforms saw early scans and exploit tries
• Federal deadline: CISA requires fixes by April 9, 2026

Technical Breakdown of How the Vulnerabilities Work

CVE-2026-35616 works by exploiting weak access control and authentication checks in FortiClient EMS API endpoints. The flaw is rooted in poor credential validation. The server processes crafted HTTP requests without checking who sent them. Attackers send specially structured requests that the server treats as legitimate, even though no one authenticated. This lets remote attackers interact with privileged API functions normally reserved for admins.

After bypassing authentication, attackers can use the EMS API to run arbitrary commands on the server. FortiClient EMS manages endpoints across entire organizations, so a successful hit gives attackers control over deployment configs, user policies, and the ability to push malicious payloads to managed devices. No credentials needed. No prior access. No user interaction. Perfect for automated mass exploitation.

Attack Chain and Technical Execution

It starts with reconnaissance. Attackers scan for publicly exposed FortiClient EMS instances, usually finding them by default ports or HTTP response headers. Once they’ve got a target, they craft an API request designed to trigger the bypass. Could be a malformed POST request to an admin API endpoint, or something similarly unusual.

The server doesn’t enforce proper authorization, so it processes the request with elevated privileges. From there, attackers invoke server functions like config changes, user creation, or direct command execution. Real-world exploitation attempts showed attackers running recon commands first to confirm access, then setting up persistence with backdoor accounts or remote access tools.

This works from outside the network. External attackers with internet access to the EMS interface can fully compromise the server in minutes, then move to managed endpoints or use EMS as a command relay for deeper attacks. No authentication requirement means automated exploitation at scale is easy once a working proof-of-concept exists.

Impact Assessment for Organizations Using Fortinet Products

Exploiting CVE-2026-35616 means total compromise of FortiClient EMS infrastructure. Attackers get admin control over endpoint management. They can change security policies, turn off protections, and push malware to every endpoint the server manages. For organizations using EMS to enforce antivirus, VPN, and compliance controls, this is a catastrophic failure of the security layer.

It also opens the door to lateral movement and credential theft. Once inside the EMS server, attackers can grab stored credentials, API keys, and config data used to authenticate with other enterprise systems. EMS often integrates with Active Directory, SIEM platforms, and network access controls, so a compromised server becomes a launching point for broader intrusion.

What’s at risk:

• Full admin takeover of FortiClient EMS, including config and user management
• Malware or backdoor deployment to all managed endpoints through policy updates or forced installations
• Credential and API key theft from EMS databases and config files
• Disabling endpoint protections like antivirus, detection tools, or VPN enforcement
• Lateral movement setup, using the EMS server as a trusted internal host to scan and compromise other network assets

Patch Availability, Workarounds, and Immediate Mitigation Steps

Fortinet released emergency hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6 right after disclosure. The vendor says these hotfixes fully stop exploitation and should be deployed now. Download the hotfix from Fortinet’s support portal, apply it per vendor instructions, and verify installation using their provided steps. Fortinet’s planning to release version 7.4.7, which will have the permanent fix built in.

If you can’t patch immediately, pull FortiClient EMS management interfaces off the public internet. Configure firewall rules to block external access and restrict EMS API and web console access to internal management subnets or VPN-connected jump hosts. Set up IP allowlists at your perimeter firewall so only trusted admin IPs can reach the EMS interface.

Federal agencies and organizations under regulatory compliance must meet CISA’s remediation deadline of April 9, 2026. This applies to any environment where FCEB guidelines are enforced. Treat this as a top-priority incident response event and speed up patching workflows. Don’t wait for maintenance windows. Apply hotfixes during emergency change windows and validate deployment using vendor tools. After patching, plan to upgrade to version 7.4.7 when it’s available for long-term stability.

Indicators of Compromise and Detection Guidance

Security teams need to check logs and network traffic immediately for signs of exploitation attempts or successful breaches. Focus on EMS API access logs, authentication records, and perimeter firewall logs for unusual patterns.

What to look for:

• Unauthenticated API requests: HTTP POST or GET requests to admin API endpoints without valid session tokens or authentication headers
• Unusual source IPs: connections from unexpected locations, Tor exit nodes, known malicious IP ranges, or addresses not tied to legitimate admins
• Abnormal process spawning: unexpected child processes, shell activity, or execution of system utilities like net.exe, whoami.exe, or curl from the EMS service account
• Config changes: unauthorized modifications to endpoint policies, user accounts, or system settings, especially outside normal business hours
• High-frequency scanning: rapid sequential requests to multiple API endpoints, typical of automated scanners or exploit frameworks
• File system anomalies: new files in web directories, temp folders, or application directories, particularly scripts, executables, or known web shells

To verify compromise, cross-reference EMS logs with perimeter device logs starting from March 31, 2026, when initial probing was first detected. If an instance was internet-accessible during this window, assume potential exposure and run a full forensic analysis. Investigate any alerts tied to CVE-2026-21643 exploitation too, since both flaws may have been chained in multi-stage attacks. Preserve logs and disk images for offline investigation if tampering or data theft is suspected.

Timeline of Discovery, Disclosure, and Exploitation

External security researchers found the vulnerability and reported it to Fortinet through coordinated disclosure. Fortinet started developing hotfixes and advisories while researchers monitored for real-world exploitation. Initial exploitation attempts and scanning were detected on March 31, 2026, indicating attackers discovered the flaw independently or got early access to exploit code.

Fortinet published its security advisory and released emergency hotfixes shortly after confirming active exploitation. Within days, independent researchers reported finding a public proof-of-concept on GitHub, though independent verification of the PoC’s reliability wasn’t completed at the time of reporting. CISA added CVE-2026-35616 to the KEV catalog on April 6, 2026, setting a mandatory remediation deadline for federal agencies.

Timeline snapshot:

• March 31, 2026: First observed exploitation and probing detected by threat monitoring platforms
• Early April 2026: Fortinet confirms real-world exploitation and releases hotfixes for FortiClient EMS 7.4.5 and 7.4.6
• April 6, 2026: CISA adds CVE-2026-35616 to Known Exploited Vulnerabilities catalog
• April 9, 2026: Federal agency remediation deadline per CISA KEV guidance
• Upcoming: FortiClient EMS version 7.4.7 release with permanent integrated fix

Ongoing Monitoring, Threat Actor Activity, and Expected Future Developments

Threat actors are still scanning the internet for exposed FortiClient EMS instances, using automated tools to find vulnerable servers and deploy exploits at scale. The public PoC on GitHub lowers the barrier to entry significantly, letting less sophisticated attackers join exploitation campaigns. Assume any internet-facing EMS instance will be targeted within hours of exposure.

Fortinet products have been frequent zero-day targets over the past 18 months. Recent incidents include CVE-2025-64155 (FortiSIEM command injection exploited in January 2026), CVE-2025-59718 and related authentication bypasses hitting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (disclosed December 2025), and CVE-2025-64446 (FortiWeb path traversal exploited in November 2025). This pattern suggests attackers see Fortinet infrastructure as high-value targets, especially management and perimeter appliances. Expect continued focus on Fortinet products and rapid weaponization of new flaws.

What to monitor:

• Track vendor advisories: Subscribe to Fortinet PSIRT notifications and monitor FortiGuard Labs threat bulletins for updates on CVE-2026-35616 and related vulnerabilities
• Deploy detection signatures: Update intrusion detection/prevention systems and web application firewalls with signatures specific to CVE-2026-35616 exploit patterns, particularly crafted API request structures
• Maintain attack surface visibility: Continuously scan for externally accessible Fortinet management interfaces, API endpoints, and admin consoles; make sure unintended exposure gets identified and fixed immediately

Final Words

In the action, we laid out the newest Fortinet zero-day vulnerabilities with CVEs, severity scores, affected FortiOS, FortiProxy, and FortiNAC versions, plus confirmed exploitation status.

We explained how attackers can bypass authentication or achieve remote code execution, assessed business impacts like VPN compromise and lateral movement, and provided patch timelines, interim mitigations, IoCs, and a disclosure timeline to guide response.

Prioritize available patches, apply recommended workarounds, and hunt for listed IoCs. The fortinet zero day vulnerability is serious but manageable with swift action and ongoing monitoring.

FAQ

Q: What are the latest Fortinet zero-day vulnerabilities, their CVE IDs, severity, affected versions, and exploitation status?

A: The latest Fortinet zero-day vulnerabilities are multiple flaws affecting FortiOS, FortiProxy, and FortiNAC; vendor advisories list specific CVE IDs, high CVSS scores (often 9.0–10.0), and confirmed exploitation in the wild.

Q: How do these Fortinet vulnerabilities work and what types are they?

A: These Fortinet vulnerabilities are mainly remote code execution and authentication‑bypass bugs caused by input validation or session‑handling flaws, letting attackers trigger errors and execute code or bypass access controls.

Q: What is the attack chain and how do attackers exploit Fortinet devices?

A: The attack chain and technical execution involves scanning exposed management interfaces, sending crafted exploit payloads, gaining an initial foothold, escalating privileges, then installing backdoors for lateral movement and persistence.

Q: Who is affected and what business impacts should organizations expect?

A: Organizations using Fortinet appliances are at risk of perimeter compromise, VPN access theft, firewall rule manipulation, and data exfiltration, which can harm uptime, compliance, and customer trust—especially unpatched internet‑facing devices.

Q: Are there patches or workarounds and what immediate mitigation steps should I take?

A: Patch availability, workarounds, and immediate mitigation steps are to apply vendor hotfixes for listed versions, restrict management plane to trusted networks, enable MFA, block suspicious IPs, and prioritize urgent updates.

Q: What indicators of compromise should I look for and how do I verify suspected exploitation?

A: Indicators of compromise to look for are unusual admin logins, unexpected config changes, new persistent processes, connections to known malicious IPs, anomalous VPN sessions, and exploit‑related filenames; verify by collecting logs and matching vendor IoCs.

Q: What is the discovery, disclosure, and exploitation timeline and how should we monitor future activity?

A: The discovery, disclosure, and exploitation timeline shows researchers reported flaws, vendor advisories followed, and exploits observed before patches; monitor vendor feeds, deploy IDS/IPS signatures, watch management traffic, and track threat‑intel updates.