EntrarVisualização de leitura
New Mirai Variant Nexcorium Hijacks DVR Devices for DDoS Attacks
Critical 9.1 Flaws Hit Fortinet FortiSandbox
The post Critical 9.1 Flaws Hit Fortinet FortiSandbox appeared first on Daily CyberSecurity.
U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.
“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”
Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.
Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.
A few hours ago, Defused researchers warned that attackers are exploiting the FortiClient zero-day. No public POC exists yet; however, this exploit has roughly the same structure as the observed zero-day exploit. Experts recommend watching for traffic from unknown IPs showing X-SSL-CLIENT-VERIFY: SUCCESS.
— Defused (@DefusedCyber) April 6, 2026
We are now observing further exploitation of the recent FortiClient zero-day (CVE-2026-35616)
No public POC exists to date, and this exploit has roughly the same structure as the observed zero-day exploit.
To identify potential compromise, defenders should look for… pic.twitter.com/hxEVre8bnf
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by April 9, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems
Fortinet warns of a critical FortiClient EMS zero-day vulnerability that is currently being exploited, allowing attackers to bypass authentication and execute commands.
The post New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems appeared first on TechRepublic.
CVE-2026-35616: Fortinet fixes actively exploited high-severity flaw
Fortinet issued emergency patches for a critical FortiClient EMS flaw (CVE-2026-35616) actively exploited in the wild.
Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.
“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”
Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.
Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active exploitation of the issue as zero-day.
— Defused (@DefusedCyber) April 4, 2026
CVE-2026-35616 – FortiClient EMS pre-authentication API access bypass – CVSS 9.1 Critical
After observing in-the-wild exploitation of this vulnerability earlier this week, Defused reported it to Fortinet under… pic.twitter.com/GUk5fCAx91
Recently, Defused researchers warn that threat actors are exploiting a vulnerability, tracked as CVE-2026-21643 (CVSS score: 9.1), in Fortinet’s FortiClient EMS platform.
— Defused (@DefusedCyber) March 28, 2026
Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution
Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.
A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.
Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.
“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.
— Defused (@DefusedCyber) March 28, 2026
Attackers can smuggle SQL statements through the "Site"-header… pic.twitter.com/pHwl2qMVsj
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.
Despite not yet appearing in major exploited lists, real-world attacks have already been observed.
Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).
In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
Best AI Security Solutions for Enterprises in 2026
Attackers exploit FortiGate devices to access sensitive network information
Attackers are exploiting FortiGate devices to breach networks and steal configuration data containing service account credentials and network details.
SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks. Once inside, they extract configuration files that may contain service account credentials and information about the internal network structure. The campaign appears to target sectors such as healthcare, government agencies, and managed service providers.
“Throughout early 2026, SentinelOne’s® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.” states SentinelOne. “Each incident was detected and stopped during the lateral movement phase of the attack.”
FortiGate appliances, often integrated with AD and LDAP, allow role mapping and fast response for network alerts. Threat actors have abused this access by targeting CVE-2025-59718 and CVE-2025-59719, exploiting SSO signature validation flaws to gain unauthenticated admin access. CVE-2026-24858 allowed attackers to log in through FortiCloud SSO. Once inside, they can extract configuration files containing service accounts, while others exploit weak credentials without needing a vulnerability.
In one case analyzed by Sentinel One, attackers created local admin accounts, modified firewall policies, and periodically checked access before extracting configuration files containing encrypted LDAP service account credentials. These were decrypted to authenticate to Active Directory and enroll rogue workstations, allowing deeper network access.
In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware. They staged malicious payloads on cloud storage (Google Cloud, AWS S3), ran tasks to maintain persistence, and used PsExec to move laterally.
The attackers made a backup of the main domain controller, took the NTDS.dit file and SYSTEM registry data, compressed them, and uploaded them to their servers. After the incident was contained, no further misuse of accounts was seen.
Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration. This makes them high-value targets for attackers, from state-sponsored espionage groups to financially motivated criminals. Recent research shows that even less skilled actors can now exploit these devices more easily using AI tools like large language models (LLMs), which provide guidance on navigating networks and extracting sensitive data.
Organizations should secure NGFWs by enforcing strong administrative controls, keeping software patched, and maintaining adequate log retention (at least 14–90 days). Logs should be sent to a SIEM system to detect anomalies, track unauthorized account creation, monitor for configuration access, spot malware or C2 traffic, preserve evidence, and enable automated responses to neutralize threats quickly.
“Organizations should consider that FortiGate and other edge devices typically do not permit security software to be installed on the appliance, such as endpoint detection and response (EDR) tools. The best defense for these appliances is to apply strong administrative access controls and to keep the software patched to prevent exploitation.” concludes the report. “Further, both of these investigations were hindered by insufficient FortiGate log retention. Organizations should ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, though 60-90 days is much better when possible.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon
An single threat actor used AI tools to create and run a campaign that compromised more then 600 Fortinet FortiGate appliances around the world over five weeks, according to Amazon threat researchers, the latest example of how cybercriminals are using the technology in their attacks.
The post Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon appeared first on Security Boulevard.
Critical Fortinet FortiClientEMS flaw allows remote code execution
Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in.
Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).
The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.
Below are the affected versions:
| Version | Affected | Solution |
|---|---|---|
| FortiClientEMS 8.0 | Not affected | Not Applicable |
| FortiClientEMS 7.4 | 7.4.4 | Upgrade to 7.4.5 or above |
| FortiClientEMS 7.2 | Not affected | Not Applicable |
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FortiClientEMS)
