As Fortinet rushed out a hotfix to address a zero-day vulnerability in its FortiClient EMS over the Easter long weekend, with a warning that attackers were already exploiting the flaw.
The vulnerability, CVE-2026-35616, could allow an unauthenticated attacker to execute unauthorised code or commands via specifically crafted requests.
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” Fortinet said in a 4 April advisory.
“Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime, the hotfix above is sufficient to prevent it entirely.”
FortiClientEMS 7.2 is not impacted by the vulnerability.
Unfortunately, security analysts believe exploitation has been ongoing for nearly a week.
“watchTowr’s Attacker Eye honeypot infrastructure is currently capturing active exploitation of CVE-2026-35616,” Benjamin Harris, watchTowr CEO and founder, told Cyber Daily.
“Attacker Eye sensors first captured exploitation activity on March 31st, days before today’s public disclosure, in what appeared to be early probes ahead of a full ramp-up.
“This is a zero-day. While there is no full patch, we have to give credit where credit is due: Fortinet has rushed out a hotfix over a holiday weekend, which reflects how urgently the company is treating this.”
Harris believes the timing and ramping up of the malicious activity is very likely not coincidental, as attackers are fond of taking advantage of holiday weekends to make their move.
“Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity,” Harris said.
“What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks. So, once again, organisations running FortiClient EMS and exposed to the internet should treat this as an emergency response situation, not something to pick up on Tuesday morning.
“Apply the hotfix. Attackers already have a head start.”
This is the second major issue impacting Fortinet products in 2026. The company revealed in January that attackers were targeting a raft of Fortinet products.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices,” Fortinet said in a 28 January advisory.
“This vulnerability was found being exploited in the wild by two malicious FortiCloud accounts, which were locked out on 2026-01-22.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.