Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 08, 2026 · 6 min read

A Fortinet Zero Day Lets Hackers Take Over Your Company's Endpoints Without a Password

CVE-2026-35616 is under active exploitation, and CISA gave federal agencies until April 9 to patch.

A server room with red warning lights and a digital lock symbol broken open, representing a critical security vulnerability being exploited

The Vulnerability

CVE-2026-35616 is a critical improper access control vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS), the centralized tool that thousands of organizations use to manage security software across their endpoints. It carries a CVSS score of 9.1 out of 10.

The flaw allows an unauthenticated attacker to bypass API authentication and authorization entirely, then execute unauthorized code or commands via crafted requests. No password, no credentials, no user interaction required. A single HTTP request to a vulnerable server can give an attacker administrative control.

It affects FortiClient EMS versions 7.4.5 and 7.4.6. The 7.2 branch is not affected.

Already Under Attack

This is not a theoretical risk. Security firm Defused Cyber discovered the vulnerability and watchTowr recorded the first exploitation attempts against its honeypots on March 31, 2026. Fortinet confirmed active exploitation in the wild when it published an emergency advisory on April 5.

CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, giving Federal Civilian Executive Branch agencies a deadline of April 9 to apply the fix. A three day window for a patch deadline is exceptionally aggressive, reflecting how dangerous the flaw is considered.

Why FortiClient EMS Matters

FortiClient EMS is not a niche product. It is the management server that controls Fortinet's endpoint security agents deployed across laptops, desktops, and servers in enterprise environments. Compromising the EMS server means an attacker potentially gains the ability to push malicious configurations or software to every managed endpoint in the organization.

This is the kind of access that ransomware operators dream of: a single point of entry that cascades into full network compromise. An attacker who controls the endpoint management server controls the security infrastructure itself.

A Pattern of Fortinet Vulnerabilities

CVE-2026-35616 arrives just days after another critical vulnerability in the same product, CVE-2026-21643, came under active exploitation. That flaw, also rated CVSS 9.1, was a pre authentication SQL injection that Bishop Fox publicly analyzed before attackers began targeting it in the wild.

Fortinet products have become a favored target for both state sponsored actors and cybercriminal groups. The pattern is consistent: critical flaws in internet facing Fortinet appliances are discovered, patches are issued, and exploitation begins before many organizations can apply them. The same dynamic has played out with FortiGate firewalls, FortiOS SSL VPN, and now FortiClient EMS.

This mirrors what we have seen with other security vendors. Cisco's Firepower Management Center zero day was exploited by Interlock ransomware for 36 days before anyone noticed. Security products are supposed to protect networks, but when they become the entry point, the damage is amplified.

What to Do Right Now

If your organization runs FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency:

  • Apply the hotfix immediately. Fortinet has released emergency hotfixes for both affected versions. Version 7.4.7 with a permanent fix is forthcoming.
  • Check for indicators of compromise. Review EMS server logs for unusual API activity, unexpected administrative actions, or connections from unfamiliar IP addresses, particularly since March 31.
  • Restrict network access to the EMS management interface. It should never be exposed to the public internet.
  • Monitor managed endpoints for unexpected configuration changes or newly deployed software that did not come from your IT team.
  • Audit the 7.2 branch for CVE-2026-21643 if you have not already, as that SQL injection flaw is also being actively exploited.

The Bigger Problem

Two critical, actively exploited zero days in the same product within weeks of each other is not a coincidence. It suggests that attackers are systematically probing FortiClient EMS, likely because they understand the payoff: compromising the management server gives them the keys to every endpoint it controls.

For security teams, the lesson is uncomfortable: the tools you deploy to protect your network can become your biggest vulnerability. Keeping security infrastructure patched and segmented from the open internet is no longer optional. It is the minimum baseline.