Patches Attackers exploited this critical FortiClient EMS bug as a 0-day CISA added the flaw to KEV after Fortinet confirmed exploitation in the wild Jessica Lyons Mon 6 Apr 2026 // 18:14 UTC Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31. The flaw, tracked as CVE-2026-35616 , is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. It earned a critical 9.1 CVSS rating, and in addition to urging customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, the firewall vendor also warned that it has "observed this to be exploited in the wild." This product allows companies to centrally manage and secure both remote and office computers, and this bug is the second critical FortiClient flaw to come under attack in the past few weeks. In late March, security researchers warned that CVE-2026-21643 , which also leads to unauthenticated remote code execution, was being actively exploited in the wild. On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog , and set a Thursday deadline for all federal agencies to apply the patch. The Register asked Fortinet for more details about who was abusing the security hole, and how many customers had been affected. While the security software company declined to answer our specific questions, a Fortinet spokesperson told The Register that "Our PSIRT response and remediation efforts remain ongoing," and "we are communicating directly with customers to advise on any necessary actions." Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others Fortinet admits FortiGate SSO bug still exploitable despite December patch Russia's Sandworm caught snarfing credentials, data from American and Brit orgs Salt Typhoon's surge extends far beyond US telcos In the past, government-backed goons from Russia and China have targeted vulnerable FortiClient EMS instances. The good news, according to VulnCheck VP of security research Caitlin Condon, is that "FortiClient EMS has a relatively small internet-facing footprint." Condon told The Register that her team's analysis observed about 100 internet-exposed instances. WatchTowr CEO Benjamin Harris told us over the weekend that his security shop's honeypot infrastructure first captured attackers attempting to exploit CVE-2026-35616 on March 31. On Monday, Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told The Register that the initial behavior "represented careful, 'low and slow' exploitation." But he added that quickly picked up. "As we regularly see when zero-days are rumbled, exploitation stops being quiet and targeted - with a clear shift to leverage their zero-day opportunistically and as indiscriminately as possible before patches begin to be applied," Dewhurst said. "We've said it before and we'll say it again when exploitation in-the-wild becomes rife: the best time to apply the hotfix was yesterday, and the second best time is right now." ® Share More about Cybercrime Fortinet Patch More like these × More about Cybercrime Fortinet Patch Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share POST A COMMENT More about Cybercrime Fortinet Patch More like these × More about Cybercrime Fortinet Patch Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news