Breaking: FortiClient Zero-Day Under Active Attack Patch Now

Fortinet has issued an emergency, out-of-band hotfix for a critical zero-day vulnerability in its FortiClient Endpoint Management Server (EMS). The flaw, tracked as CVE-2026-35616, is currently being exploited in the wild, allowing unauthenticated attackers to bypass API security and execute arbitrary code with SYSTEM privileges.

For the Hacklido community, this represents a "tier-one" threat. Because the EMS server acts as the central brain for managing endpoint security policies across an entire network, a compromise here is effectively a "game over" scenario for the target organization.


Technical Breakdown: CVE-2026-35616

The vulnerability is an Improper Access Control issue (CWE-284) within the FortiClient EMS API. Security researchers from Defused Cyber, who responsibly disclosed the flaw, describe it as a pre-authentication bypass.

  • Attack Vector: Remote, unauthenticated.
  • Method: Attackers send specially crafted HTTP requests to the EMS administrative interface.
  • Impact: By sidestepping the API's authorization layer, threat actors can execute unauthorized commands or code.
  • CVSS Score: 9.1 (Critical).

The "Holiday Window" Strategy

Honeypot data from watchTowr Labs indicates that initial probes began as early as March 31, 2026, with sustained exploitation ramping up during the Easter holiday weekend. This aligns with a known adversary tactic: striking when IT and security teams are at half-strength.

This exploit follows closely on the heels of another recently patched FortiClient flaw, CVE-2026-21643, which was an SQL injection vulnerability. Analysts are currently investigating if both flaws are being weaponized together in a single attack chain.


Note: Fortinet has stated that the upcoming version 7.4.7 will include a permanent fix. In the meantime, the provided hotfixes for 7.4.5 and 7.4.6 are mandatory to prevent exploitation.

Immediate Mitigation Steps

  1. Check Exposure: Use tools like Shodan or Shadowserver to see if your EMS instance is internet-facing. Current data suggests roughly 2,000 instances are publicly reachable.
  2. Restrict Access: If you cannot patch immediately, block the EMS management ports (typically 4443 or 10443) from the open internet. Use a VPN or restricted IP allowlist.
  3. Audit for Indicators of Compromise (IoCs): Look for unexplained configuration changes, new administrative users, or unusual outbound traffic from the EMS server.
  4. CISA Compliance: CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies address it by April 9.


Hacklido Intelligence: The New Normal

The speed at which this zero-day moved from discovery to active exploitation—under 72 hours—highlights the collapsing window of defense. We are seeing a rise in "Agentic SOC" capabilities, where attackers use AI-driven tools to scan and exploit API bypasses the moment they are identified.

As a management plane, FortiClient EMS is a high-value target because it grants "keys to the kingdom." If you are running a vulnerable version, consider your network potentially compromised until a full audit is completed