INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Fortinet Zero-Day Exploit Patch Released
| 2026-04-06 21:12 CRITICAL HIGHExecutive Summary AI-generated
The zero-day vulnerability CVE-2026-35616 has been added to the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog, with a CVSS rating of 9.8. This critical context was first disclosed by Fortinet on Monday, March 31, as an improperly accessed control vulnerability in its FortiClient EMS software. The exploit zero-day flaw follows another FortiClient EMS vulnerability, tracked as CVE-2026-21643, that came under attack late last month. Experts warn of growing attacker interest and potential broader targeting due to the recent disclosure.
Technical Mitigations AI-generated
* Implement a patch or update for FortiClient EMS versions 7.4.5 and 7.4.6 to prevent exploitation of CVE-2026-35616.
* Monitor customer devices for signs of vulnerability, such as suspicious activity or unusual network connections, and take prompt action if necessary.
* Use secure protocols (e.g., HTTPS) when communicating with customers' endpoints to reduce the risk of exploitation by attackers.
* Regularly review and update software configurations and settings to ensure that FortiClient EMS is properly configured and patched against known vulnerabilities.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-64155CVE-2025-64155
CVE-2025-59718CVE-2025-59718
CVE-2026-21643CVE-2026-21643
CVE-2026-35616CVE-2026-35616
CVE-2025-64446CVE-2025-64446
Target & Sectors
Global Scope
Incident Timeline
early 2025
Fortinet's 10 known exploited vulnerabilities were discovered and reported to CISA by customers in early 2025.
Click on any entity below to view its context and source!
general_metric
10 Fortinet defects
CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025.
Feb. 6
Threat actors exploited a newly discovered zero-day vulnerability in Fortinet customers' systems, which shares similarities with CVE-2026-21643.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21643
The recently discovered zero-day shares similarities with
CVE-2026-21643
, another unauthenticated FortiClient EMS defect that
Fortinet disclosed
Feb. 6.
organisation
SQL
Defused
spotted exploitation activity
against the critical SQL injection flaw, which was first disclosed and patched on Feb. 6.
2026/03/07
Threat actors exploited CVE-2026-21643, a zero-day vulnerability in Fortinet customers' FortiClient EMS systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21643
Related:
Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles
The exploit zero-day flaw follows another FortiClient EMS vulnerability, tracked as CVE-2026-21643, that came under attack late last month.
2026/03/30
Threat actors used a recently disclosed zero-day vulnerability in Fortinet's software to target affected customers.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21643
The vendor and
cyber authorities
last week warned that CVE-2026-21643 has been exploited in the wild.
March 31
Unknown attackers attempted to exploit a zero-day vulnerability in Fortinet customers' systems on March 31.
Click on any entity below to view its context and source!
organisation
CyberScoop
Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop.
2026/04/05
Threat actors exploited a recently disclosed zero-day vulnerability in Fortinet products.
April 6
Fortinet issued a hotfix on April 6 to address the exploited zero-day.
Click on any entity below to view its context and source!
organisation
Fortinet
“As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”
2026-3055
Threat actors exploited CVE 2026-3055 in Citrix NetScaler ADC and NetScaler Gateway.
Click on any entity below to view its context and source!
organisation
Citrix NetScaler ADC
"
Kohonen says Radar, which will be publicly launched in the coming days, had previously flagged
exploitation activity for CVE 2026-3055
, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
organisation
NetScaler Gateway
"
Kohonen says Radar, which will be publicly launched in the coming days, had previously flagged
exploitation activity for CVE 2026-3055
, a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
2026/04/06
Fortinet released a hotfix for FortiClient EMS versions 7.4.5 and 7.4.6 to address CVE-2026-35616, an improperly accessed control vulnerability that allows unauthenticated access through crafted requests.
Click on any entity below to view its context and source!
organisation
Fortinet
On Saturday, Fortinet disclosed CVE-2026-35616, which it described as an improper access control vulnerability in its
FortiClient
Endpoint Management Server (EMS) software.
organisation
FortiClient
Endpoint Management
On Saturday, Fortinet disclosed CVE-2026-35616, which it described as an improper access control vulnerability in its
FortiClient
Endpoint Management Server (EMS) software.
organisation
EMS
On Saturday, Fortinet disclosed CVE-2026-35616, which it described as an improper access control vulnerability in its
FortiClient
Endpoint Management Server (EMS) software.
organisation
Defused
"
CVE-2026-35616 Exploitation Activity
In
a post
on social media platform X, Defused described CVE-2026-35616 as a "pre-authentication API access bypass" that allows an attacker to sidestep API authorization entirely.
organisation
API
"
CVE-2026-35616 Exploitation Activity
In
a post
on social media platform X, Defused described CVE-2026-35616 as a "pre-authentication API access bypass" that allows an attacker to sidestep API authorization entirely.
organisation
FortiClient EMS
Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.
In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the
hotfix
for FortiClient EMS versions 7.4.5 and 7.4.6.
infrastructure
7.4.5
In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the
hotfix
for FortiClient EMS versions 7.4.5 and 7.4.6.
infrastructure
7.4.6
In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the
hotfix
for FortiClient EMS versions 7.4.5 and 7.4.6.
organisation
Shadowserver
Shadowserver scans found nearly
2,000 publicly exposed instances
of FortiClient EMS on Sunday.
organisation
CVE-2025-64155
Earlier that same month, CVE-2025-64155, a critical command-injection vulnerability in the vendor's FortiSIEM platform, came under
widespread exploitation
.
organisation
CVE-2025
And in November, attackers exploited CVE-2025-64446, a
critical path traversal flaw
in the company's FortiWeb product line.
organisation
FortiWeb
And in November, attackers exploited CVE-2025-64446, a
critical path traversal flaw
in the company's FortiWeb product line.
infrastructure
Fortigate
In February, researchers at Amazon Web Services discovered a threat actor had
compromised hundreds of FortiGate devices
using AI to take advantage of weak credentials, exposed ports, and other security gaps.
organisation
PoC
In a
Tenable blog post
published Monday, senior staff engineer Scott Caveza noted that a public proof-of-concept (PoC) exploit was identified on GitHub, though Tenable researchers have not yet verified it.
organisation
GitHub
In a
Tenable blog post
published Monday, senior staff engineer Scott Caveza noted that a public proof-of-concept (PoC) exploit was identified on GitHub, though Tenable researchers have not yet verified it.
organisation
FortiCloud
In January, Fortinet confirmed that threat actors
exploited a critical zero-day flaw
that enabled them to log in to customer systems via FortiCloud's single sign-on (SSO) feature.
organisation
Oracle's
Related:
Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw
organisation
Fusion Middleware Has Critical
Related:
Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw
April 9
Federal civilian executive branch agencies must address the Fortinet customer issue by April 9 due to a zero-day exploit.
Click on any entity below to view its context and source!
attribution
FCEB
Federal civilian executive branch (FCEB) agencies, which typically have two weeks to patch or mitigate exploited flaws, must address the FortiClient zero-day by April 9.
Tactical Metrics
Metrics
infrastructure
7.4.5
Software Version
Click for context!
In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the
hotfix
for FortiClient EMS versions 7.4.5 and 7.4.6.
Metrics
infrastructure
7.4.6
Software Version
In its security advisory, network security vendor confirmed the flaw has been exploited in the wild, and urged customers to install the
hotfix
for FortiClient EMS versions 7.4.5 and 7.4.6.
Metrics
infrastructure
Fortigate
Affected Product
In February, researchers at Amazon Web Services discovered a threat actor had
compromised hundreds of FortiGate devices
using AI to take advantage of weak credentials, exposed ports, and other security gaps.
Intelligence Sources
Dark Reading
2026-04-06
CyberScoop
2026-04-06
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T12:07
Comprehensive Tactical Telemetry
Highly Correlated Entities
20x
organisation
Identified Entity
the Cybersecurity and Infrastructure Security Agency’s
entity
9x
timeline
Temporal Reference
Feb. 6
date
7x
attribution
Attributing Entity
CVE-2026
authority
5x
vulnerability
Exploited CVE
CVE-2026-35616
cve
3x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
2x
infrastructure
Software Version
7.4.5
version
Contextual Telemetry
Context Block
4 METRICS
general metric
Scans
2,000
scans
general metric
Fortinet Defects
10
fortinet defects
infrastructure
Affected Product
Fortigate
software
general metric
Cvss Score
9
cvss score
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.