The post The CVE Watchtower: Weekly Threat Intelligence Briefing (April 13 – April 19, 2026) appeared first on Daily CyberSecurity.

The post Critical 9.1 Flaws Hit Fortinet FortiSandbox appeared first on Daily CyberSecurity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.

A few hours ago, Defused researchers warned that attackers are exploiting the FortiClient zero-day. No public POC exists yet; however, this exploit has roughly the same structure as the observed zero-day exploit. Experts recommend watching for traffic from unknown IPs showing X-SSL-CLIENT-VERIFY: SUCCESS.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Fortinet warns of a critical FortiClient EMS zero-day vulnerability that is currently being exploited, allowing attackers to bypass authentication and execute commands.

The post New Fortinet Flaw Allows Unauthorized Access to Enterprise Systems appeared first on TechRepublic.

Fortinet issued emergency patches for a critical FortiClient EMS flaw (CVE-2026-35616) actively exploited in the wild.

Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active exploitation of the issue as zero-day.

Recently, Defused researchers warn that threat actors are exploiting a vulnerability, tracked as CVE-2026-21643 (CVSS score: 9.1), in Fortinet’s FortiClient EMS platform.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

The post Under Active Attack: Critical 9.1 CVSS FortiClient EMS Flaw Exploited in the Wild appeared first on Daily CyberSecurity.

Attackers are exploiting a critical Fortinet FortiClient EMS flaw (CVE-2026-21643) that allows remote code execution via SQL injection.

A critical Fortinet FortiClient EMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1), is now being actively exploited.

Defused researchers warn that threat actors are exploiting the vulnerability in Fortinet’s FortiClient EMS platform.

“Fortinet Forticlient EMS CVE-2026-21643 – currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists – has seen first exploitation already 4 days ago according to our data Attackers can smuggle SQL statements through the “Site”-header inside an HTTP request According to Shodan, close to 1000 instances of Forticlient EMS are publicly exposed.” Defused wrote on X.

In February, Fortinet issued an urgent advisory to address the critical FortiClientEMS vulnerability. The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Below are the affected versions:

In February, the vendor did not disclose whether the vulnerability is currently being actively exploited in the wild.

Despite not yet appearing in major exploited lists, real-world attacks have already been observed.

Shadowserver researchers report approximately 2,000 FortiClient EMS instances exposed online, most of them in the U.S. (756) and Europe (683).

In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a FortiClient EMS SQL Injection Vulnerability, tracked as CVE-2023-48788, to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Attackers are exploiting FortiGate devices to breach networks and steal configuration data containing service account credentials and network details.

SentinelOne researchers warn that attackers are exploiting vulnerabilities or weak credentials in FortiGate devices to gain initial access to corporate networks. Once inside, they extract configuration files that may contain service account credentials and information about the internal network structure. The campaign appears to target sectors such as healthcare, government agencies, and managed service providers.

“Throughout early 2026, SentinelOne’s® Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment.” states SentinelOne. “Each incident was detected and stopped during the lateral movement phase of the attack.”

FortiGate appliances, often integrated with AD and LDAP, allow role mapping and fast response for network alerts. Threat actors have abused this access by targeting CVE-2025-59718 and CVE-2025-59719, exploiting SSO signature validation flaws to gain unauthenticated admin access. CVE-2026-24858 allowed attackers to log in through FortiCloud SSO. Once inside, they can extract configuration files containing service accounts, while others exploit weak credentials without needing a vulnerability.

In one case analyzed by Sentinel One, attackers created local admin accounts, modified firewall policies, and periodically checked access before extracting configuration files containing encrypted LDAP service account credentials. These were decrypted to authenticate to Active Directory and enroll rogue workstations, allowing deeper network access.

In another incident, attackers created admin accounts, deployed Pulseway and MeshAgent RMM tools, and used PowerShell and DLL side-loading to execute malware. They staged malicious payloads on cloud storage (Google Cloud, AWS S3), ran tasks to maintain persistence, and used PsExec to move laterally.

The attackers made a backup of the main domain controller, took the NTDS.dit file and SYSTEM registry data, compressed them, and uploaded them to their servers. After the incident was contained, no further misuse of accounts was seen.

Next-generation firewalls (NGFWs), like FortiGate, are widely used because they combine strong network security with features like Active Directory integration. This makes them high-value targets for attackers, from state-sponsored espionage groups to financially motivated criminals. Recent research shows that even less skilled actors can now exploit these devices more easily using AI tools like large language models (LLMs), which provide guidance on navigating networks and extracting sensitive data.

Organizations should secure NGFWs by enforcing strong administrative controls, keeping software patched, and maintaining adequate log retention (at least 14–90 days). Logs should be sent to a SIEM system to detect anomalies, track unauthorized account creation, monitor for configuration access, spot malware or C2 traffic, preserve evidence, and enable automated responses to neutralize threats quickly.

“Organizations should consider that FortiGate and other edge devices typically do not permit security software to be installed on the appliance, such as endpoint detection and response (EDR) tools. The best defense for these appliances is to apply strong administrative access controls and to keep the software patched to prevent exploitation.” concludes the report. “Further, both of these investigations were hindered by insufficient FortiGate log retention. Organizations should ensure they have at least 14 days of log retention on NGFW appliances like FortiGate, though 60-90 days is much better when possible.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

An single threat actor used AI tools to create and run a campaign that compromised more then 600 Fortinet FortiGate appliances around the world over five weeks, according to Amazon threat researchers, the latest example of how cybercriminals are using the technology in their attacks.

The post Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon appeared first on Security Boulevard.

Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in.

Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).

The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

The vulnerability was internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Below are the affected versions:

The company did not disclose whether the vulnerability is currently being actively exploited in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiClientEMS)