Full Report
Two critical defects in FortiClient EMS have been exploited in the past couple weeks. Experts push for users to apply an immediate hotfix. The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Active Exploitation of FortiClient EMS Zero-Day
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Not explicitly stated (Technical context suggests Remote Code Execution/Injection similarities to previous SQLi flaws)
## Affected Systems
- **Products:** Fortinet FortiClient Enterprise Management Server (EMS)
- **Versions:** Vulnerable versions not specifically listed in the text, but approximately 2,000 instances are currently identified as publicly exposed.
- **Configurations:** Systems exposed to the public internet are at highest risk.
## Vulnerability Description
CVE-2026-35616 is an unauthenticated zero-day vulnerability that allows for Remote Code Execution (RCE). Technical details indicate it shares similarities with a previous defect (CVE-2026-21643), which was a critical SQL injection flaw. The vulnerability allows an attacker to execute arbitrary code on the management server without requiring valid credentials.
## Exploitation
- **Status:** Exploited in the wild (Actively exploited since March 31, 2026)
- **Complexity:** Low (Unauthenticated RCE)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to endpoint management data)
- **Integrity:** High (Ability to execute arbitrary commands and modify configurations)
- **Availability:** High (Potential for complete system takeover or shut down)
## Remediation
### Patches
- **Hotfix:** Fortinet has released an emergency hotfix to address the vulnerability.
- **Full Patch:** A comprehensive software update is still pending and has not yet been released.
### Workarounds
- The article emphasizes applying the **emergency hotfix** immediately as the primary mitigation.
- While not explicitly listed, standard hardening for EMS involves restricting access to the management interface via firewall/VPN.
## Detection
- **Indicators of Compromise:** Users should look for unauthorized probes or exploitation attempts that began ramping up around March 31, 2026, and accelerated through April 6, 2026.
- **Detection methods and tools:**
- Shadowserver scans indicate nearly 2,000 exposed instances; organizations should check their exposure via Shadowserver or local asset discovery.
- CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.
## References
- **Vendor Advisory:** [https://fortiguard.fortinet.com/psirt/FG-IR-26-099]
- **CISA KEV Catalog:** [https://www.cisa.gov/known-exploited-vulnerabilities-catalog]
- **Shadowserver Statistics:** [https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=30&vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29]