Fortinet Issues Emergency Patch for FortiClient Zero-Day

The discovery of CVE‑2026‑35616 illustrates how quickly sophisticated attackers can move from vulnerability research to active exploitation. Identified by Defused’s founder Simo Kohonen through the company’s upcoming Radar anomaly‑detection platform, the flaw bypasses API authentication entirely, granting attackers pre‑authentication command execution. Fortinet’s rapid issuance of a hotfix for EMS 7.4.5/7.4.6 demonstrates an industry‑standard response, yet the existence of a public proof‑of‑concept on GitHub suggests that threat actors are already testing the exploit in the wild.

For organizations, the inclusion of CVE‑2026‑35616 in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) list triggers mandatory remediation timelines for U.S. federal entities, with a hard deadline of April 9. Private sector firms often mirror these timelines to avoid supply‑chain risk, especially as Fortinet products are deeply embedded in network security architectures. The pattern of successive zero‑days—spanning FortiClient, FortiOS, FortiWeb, and FortiGate—means that unpatched endpoints can become footholds for lateral movement, data exfiltration, or ransomware deployment.

The broader lesson for the cybersecurity community is the necessity of proactive threat hunting and automated patch management. Leveraging threat‑intel feeds, such as those from Defused’s Radar, can surface emerging exploits before they achieve widespread impact. Enterprises should prioritize rapid testing of emergency patches, enforce strict change‑control processes, and consider compensating controls like network segmentation and multi‑factor authentication to mitigate exposure while patches are deployed. In an environment where attackers exploit vulnerabilities within days, a disciplined, speed‑focused remediation strategy is no longer optional but essential for resilience.