Overview

On April 6, 2026, Fortinet released an emergency hotfix for an actively exploited zero-day vulnerability — CVE-2026-35616 — affecting FortiClient EMS, its endpoint management platform for customer devices. The vulnerability carries a CVSS score of 9.8 (Critical) and was added to CISA's Known Exploited Vulnerabilities catalog on the same day.

The story was reported by Matt Kapko for CyberScoop. At the time of publication, a full patch had not yet been released — only the emergency hotfix was available, with Fortinet indicating a more comprehensive update was forthcoming.

Exploitation was first observed on March 31. By April 6 — as the hotfix became public and attention grew — attacker activity had ramped up significantly, according to watchTowr's Benjamin Harris.

Technical Details

The article does not specify the precise weakness category or the internal FortiClient EMS component affected. What it does make clear is the practical consequence: remote code execution without authentication. This places it in the highest-severity class of web-facing vulnerabilities.

The zero-day is described as similar to CVE-2026-21643, another unauthenticated FortiClient EMS defect disclosed on February 6, 2026, which had also been exploited in the wild. Key technical points from the reporting:

  • Two critical FortiClient EMS defects were exploited within the same two-week window, both allowing unauthenticated remote code execution.
  • Researchers found no significant link between the two vulnerabilities and did not attribute the attacks to known threat actors.
  • Shadowserver scans identified nearly 2,000 publicly exposed FortiClient EMS instances — though how many were running vulnerable versions was unclear at time of reporting.

Because FortiClient EMS manages endpoint devices, remote code execution on the management server gives attackers potential leverage over every system and setting it administers — a blast radius far larger than the server itself.

Vendor Response

Fortinet's response followed a "hotfix now, full patch later" posture — unusual and notable in its urgency. Key points from the article:

  • An emergency hotfix was issued over a holiday weekend (Easter), which watchTowr's Harris credited as a sign of urgency from Fortinet.
  • A Fortinet spokesperson confirmed response and remediation efforts were ongoing and that the company was communicating directly with customers about required actions.
  • No full patch was available at time of publication. Fortinet said a more comprehensive update was planned but gave no specific timeline.

Harris also noted that holiday weekends are a recurring window of advantage for attackers — reduced staffing, slower detection, and delayed response all compound the risk. The exploitation ramp-up coinciding with the Easter period was not coincidental.

Broader Context: Fortinet as a Persistent Target

This incident is not isolated. VulnCheck's Caitlin Condon noted that Fortinet solutions are consistently popular targets for threat actors. Since early 2025, CISA has added 10 separate Fortinet defects to its Known Exploited Vulnerabilities catalog — a rate that signals sustained attacker interest in the platform across multiple products and vulnerability classes.

The pattern of two unauthenticated RCE vulnerabilities in the same product being exploited within weeks of each other raises questions about the security review process for FortiClient EMS specifically, and about how quickly organizations running endpoint management platforms are able to apply emergency patches when they are internet-exposed.

Lessons Learned

As a cybersecurity student, this incident reinforces several principles that connect directly to vulnerability management and operational security:

  • Internet exposure is the primary risk amplifier. Nearly 2,000 publicly reachable FortiClient EMS instances dramatically expands the attacker's opportunity. Management platforms should not be directly internet-facing without strict access controls.
  • CVSS 9.8 plus active exploitation means patch immediately. A critical score alone is sometimes deprioritized. Confirmed in-the-wild exploitation changes the calculus entirely — even a hotfix should be applied the same day it is available.
  • Endpoint management platforms are high-value targets. Compromising the system that manages other systems gives attackers disproportionate reach. These platforms need to be treated as crown-jewel infrastructure.
  • Exploitation ramps up as awareness spreads. The jump in activity between March 31 and April 6 shows how quickly lower-skilled attackers pile in once a vulnerability becomes public knowledge. Early detection and fast patching matter before the window widens.
  • Attackers time operations around defender gaps. Holiday weekends reduce staffing and slow response. Security teams need on-call coverage and automated alerting precisely because adversaries account for these gaps.

References

  1. Kapko, M. (2026, April 6). Fortinet customers confront actively exploited zero-day, with a full patch still pending. CyberScoop.
  2. CISA. (2026, April 6). Known Exploited Vulnerabilities Catalog — CVE-2026-35616. cisa.gov/known-exploited-vulnerabilities-catalog