Fortinet released an emergency software update over the weekend to address a critical zero-day vulnerability in its FortiClient Enterprise Management Server (EMS) software, a tool used to manage customer devices. The vulnerability, designated CVE-2026-35616, has been actively exploited in the wild.
This new vulnerability, carrying a high CVSS score of 9.8, was officially added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities catalog on Monday. Fortinet’s advisory confirmed active exploitation and stated they have released a hotfix, with a more comprehensive update planned. The exact number of affected instances and the timeline of the initial exploit remain undisclosed.
FortiClient EMS Vulnerability Actively Exploited
Attackers began probing for and attempting to exploit CVE-2026-35616 around March 31, according to Benjamin Harris, founder and CEO at watchTowr. Initial exploitation attempts were noted as limited, a common strategy to avoid detection while testing a new exploit.
However, following Fortinet’s release of a hotfix and increased attention to the issue, the exploitation activity has significantly ramped up. This surge indicates growing interest from attackers and a likely expansion of targeting efforts.
Widespread Exposure and Similarities to Previous Flaws
Shadowserver scans identified nearly 2,000 publicly accessible FortiClient EMS instances on Sunday. It is not yet clear how many of these instances are running the vulnerable software versions. Researchers have not established a direct link between this vulnerability and known threat actors.
This newly discovered zero-day bears resemblance to CVE-2026-21643, a previously disclosed unauthenticated vulnerability in FortiClient EMS. Authorities also warned of active exploitation for that flaw in early February. Both defects allow for remote code execution, a significant concern for network security.
Fortinet products are frequently targeted by threat actors, making such vulnerabilities predictable, according to Caitlin Condon, vice president of security research at VulnCheck. CISA has now added ten Fortinet vulnerabilities to its exploited list since the beginning of 2025, highlighting a persistent trend.
Urgency of Patching Fortinet Systems
While a complete patch for CVE-2026-35616 is not yet available, Fortinet’s rapid deployment of a hotfix over a holiday weekend underscores the severity of the situation. Harris commented that attackers often leverage holiday periods, when security teams are often understaffed, to increase their malicious activities.
A Fortinet spokesperson stated that the company is actively working on remediation and is in direct communication with affected customers to provide guidance. The urgency to apply the hotfix cannot be overstated, with experts advising immediate action.
The next steps involve the release of the full software update from Fortinet and continued monitoring by security researchers and CISA for further exploitation. Organizations using FortiClient EMS are strongly advised to apply the available hotfix as soon as possible to mitigate the risk of compromise.