In a quick response to rising cyber threats, Fortinet has issued emergency patches for its FortiClient Endpoint Management Server (EMS) following the discovery of two critical security vulnerabilities. Among these vulnerabilities is a zero-day flaw that malicious actors are actively exploiting in the wild. The urgency of the situation has prompted the vendor to take immediate action to safeguard its users from potential breaches.

The emergency hotfix was released on Saturday, aimed specifically at addressing the zero-day vulnerability, identified as CVE-2026-35616. Fortinet has strongly recommended that customers utilizing version 7.4.5 and 7.4.6 of FortiClient EMS install the patch without delay. In its advisory, the company emphasized that while a comprehensive update addressing the issue is in development, the hotfix currently available is sufficient to mitigate imminent threats until that version is released.

FortiClient EMS plays a crucial role for security teams as it allows centralized administration of various endpoints like laptops and mobile devices. This server software integrates the FortiClient software with Fortinet’s Security Fabric to deliver endpoint protection, facilitate secure VPN access, and enforce Zero Trust network principles. The critical nature of the software makes it an appealing target for cybercriminals.

The vulnerability significantly compromises system security, allowing unauthorized users to bypass both authentication and authorization protocols. This loophole could be exploited to execute unauthorized commands or code through maliciously crafted requests. A Finnish threat intelligence company, Defused, which was instrumental in disclosing the flaw to Fortinet, highlighted this alarming potential in a recent social media update.

Furthermore, the Shadowserver Foundation, a nonprofit dedicated to improving global cybersecurity, revealed that approximately 2,000 instances of the FortiClient EMS are publicly accessible online, predominantly within the United States and Germany. The extent to which these installations have adopted the hotfix remains uncertain, which underscores the pressing security concerns.

In its assessments, Shadowserver issued a warning regarding ongoing targeted attacks on FortiClient EMS servers that either lack the new hotfix or have yet to patch a prior vulnerability labeled as CVE-2026-21643, which has a Critical Vulnerability Score (CVSS) of 9.1. This earlier flaw was addressed by Fortinet back in early February, when it too was revealed to be under active exploitation.

Benjamin Harris, the CEO and founder of the threat intelligence firm watchTowr, emphasized the importance of timing in relation to cyber attacks. According to their honeypot data, the first probes associated with this zero-day vulnerability began surfacing shortly after its discovery, with sustained attacks ramping up over the Easter holiday weekend, suggesting that attackers purposely exploit potential distractions within security teams during holidays.

Harris commented: “The timing of this exploitation is likely not coincidental, as attackers often favor holiday weekends when security resources are reduced and the likelihood of compromise increases.” This pattern highlights a broader trend of cybercriminals taking advantage of reduced vigilance during these periods.

Fortinet has shown commendable urgency in addressing the vulnerabilities, especially given that the development of a formal patch is still pending. “This is a zero-day. While there is no complete patch at present, Fortinet’s rapid deployment of a hotfix during a holiday weekend underscores the company’s recognition of the severity of this issue,” stated Harris.

Edge devices, such as those facilitated by FortiClient, have become preferable targets for both criminal and state-sponsored hackers, particularly because these devices connect directly to the internet. They often exhibit vulnerabilities due to slower patching cycles and can offer significant operational leverage once breaches occur. The latest annual threat report from Cisco Talos corroborates this phenomenon, revealing that the disclosure and patching of vulnerabilities can paradoxically lead to more targeted attacks on edge devices.

In conclusion, the continuing evolution of cyber threats necessitates vigilance from organizations utilizing systems like FortiClient EMS. As evidenced by the ongoing exploits, timely updates and prompt action in installing hotfixes are crucial measures in maintaining security and protecting against the ever-looming specter of cyber attacks.