Zero-Day Panic: Fortinet’s EMS Breach Leaves Over 2,000 Networks Exposed

It’s the kind of weekend that keeps IT defenders up at night: a critical vulnerability, already under active attack, is found in a security product trusted by thousands of organizations worldwide. This time, Fortinet’s FortiClient Enterprise Management Server (EMS) is at the epicenter, as hackers race to exploit a flaw that lets them bypass defenses and seize control - no password required.

A Race Against the Clock

Fortinet, a heavyweight in network security, issued an emergency patch on Saturday after confirming that attackers are exploiting a newly discovered flaw in its FortiClient EMS platform. The vulnerability, tracked as CVE-2026-35616, is no ordinary bug: it allows cybercriminals to remotely run code or commands on vulnerable servers simply by sending specially crafted requests - no authentication needed.

Discovered by researchers at Defused, the flaw is described as a “pre-authentication API access bypass,” meaning attackers can sidestep all login and authorization checks. Defused publicly revealed that they witnessed the exploit being used in the wild as a zero-day - an attack that hits before a patch is available - before responsibly reporting it to Fortinet.

Global internet scanning by Shadowserver found more than 2,000 FortiClient EMS instances exposed to the internet, with the majority based in the United States and Germany. Each one is a potential beachhead for ransomware operators, data thieves, or state-backed hacking groups.

Déjà Vu for Fortinet Customers

This emergency comes hot on the heels of another critical FortiClient EMS vulnerability (CVE-2026-21643) reported just last week - also discovered by Defused. The back-to-back discoveries highlight the high-stakes game of cat and mouse between software vendors and threat actors, and the persistent risk posed by zero-day flaws in security infrastructure itself.

Fortinet has issued hotfixes for affected versions (7.4.5 and 7.4.6), with users urged to patch immediately or upgrade to the soon-to-be-released version 7.4.7. Notably, FortiClient EMS 7.2 is unaffected, but any unpatched server running a vulnerable version is a sitting duck.

As attackers continue to target security management tools - often the crown jewels of network administration - the message to defenders is clear: patch fast, monitor for signs of compromise, and never assume your security tools are immune to attack.

Conclusion

The Fortinet EMS saga is a stark reminder that even the most trusted security platforms can become liabilities overnight. In the escalating arms race of cyber offense and defense, vigilance and speed are the only defenses against the next zero-day storm.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Remote code execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.
• Pre: A pre is an illegal leak of digital content before its official release, often causing financial and reputational harm to creators or companies.
• Hotfix: A hotfix is an urgent software update released to quickly patch a specific security flaw or bug before a full update can be issued.
• API access bypass: API access bypass is a flaw that allows attackers to use APIs without proper permission checks, potentially exposing sensitive data or system functions.