Critical vulnerability in Fortinet's enterprise management software is being weaponized by attackers, prompting CISA to add it to the KEV catalog with a federal agency patching deadline.
Fortinet has issued an emergency patch for a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that is already being exploited in the wild as a 0-day. The flaw, tracked as CVE-2026-35616, is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests, earning it a critical 9.1 CVSS rating.
Active Exploitation and Federal Response
The vulnerability has been under active attack since at least March 31, according to security researchers who first captured exploitation attempts in their honeypot infrastructure. On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog, setting a Thursday deadline for all federal agencies to apply the patch.
Fortinet released hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6 over the weekend, urging customers to install them immediately. The company confirmed it has "observed this to be exploited in the wild" but declined to provide specific details about who was abusing the security hole or how many customers had been affected.
Exploitation Pattern and Attacker Behavior
Security researchers observed a concerning shift in attacker behavior once the vulnerability became known. WatchTowr's honeypot infrastructure first detected exploitation attempts on March 31, describing the initial activity as "careful, 'low and slow' exploitation." However, this quickly changed as attackers began leveraging the 0-day more aggressively.
"As we regularly see when zero-days are rumbled, exploitation stops being quiet and targeted - with a clear shift to leverage their zero-day opportunistically and as indiscriminately as possible before patches begin to be applied," said Ryan Dewhurst, head of proactive threat intelligence at watchTowr.
This pattern is typical of 0-day exploitation, where attackers initially conduct targeted operations before shifting to broader, more opportunistic attacks once the vulnerability becomes public knowledge.
Limited Attack Surface but Significant Risk
According to VulnCheck VP of security research Caitlin Condon, FortiClient EMS has a "relatively small internet-facing footprint," with analysis showing approximately 100 internet-exposed instances. However, the critical nature of the vulnerability and its potential for unauthenticated remote code execution makes it particularly dangerous.
FortiClient EMS is enterprise software that allows companies to centrally manage and secure both remote and office computers, making it a valuable target for attackers seeking to compromise corporate networks.
Context of Previous Fortinet Vulnerabilities
This is the second critical FortiClient flaw to come under attack in recent weeks. In late March, security researchers warned that CVE-2026-21643, which also leads to unauthenticated remote code execution, was being actively exploited in the wild. The recurrence of critical vulnerabilities in Fortinet products has raised concerns about the security of widely deployed enterprise security infrastructure.
Historical Context of Attacks on Fortinet Products
Government-backed threat actors from Russia and China have previously targeted vulnerable FortiClient EMS instances. The exploitation of Fortinet products by nation-state actors has been documented in various incidents, including attacks by Russia's Sandworm group and other sophisticated threat actors.
Urgent Patching Required
Security experts emphasize the urgency of applying the available patches. "The best time to apply the hotfix was yesterday, and the second best time is right now," Dewhurst stressed, highlighting the critical nature of the vulnerability and the active exploitation in the wild.
Organizations using FortiClient EMS should immediately assess their exposure, apply the emergency patches, and monitor for any signs of compromise. The combination of unauthenticated access, remote code execution capability, and active exploitation makes this vulnerability a severe threat that requires immediate attention.
The rapid transition from 0-day exploitation to widespread attacks underscores the importance of maintaining robust vulnerability management programs and the ability to quickly deploy emergency patches when critical vulnerabilities are discovered.
Comments
Please log in or register to join the discussion