**********Fortinet FortiClient EMS zero-days CVE-2026-21643/35616 actively exploited** [developing]
Key Questions
What vulnerabilities are actively exploited in Fortinet FortiClient EMS?
Pre-auth RCE/SQLi flaws CVE-2026-21643 and CVE-2026-35616 have been exploited since March 31. CVE-2023-48788 SQLi is also active, added to CISA KEV on April 3. Thousands of exposures detected via honeypots in the US and Germany.
What patches are available for the FortiClient EMS zero-days?
Fortinet released an emergency hotfix on April 5, but a full patch is still pending. The flaws were exploited in the wild before the advisory. PoCs are public, with holiday-timed exploits aligning with FortiGate/CrackArmor surges.
How widespread is the exposure to these Fortinet vulnerabilities?
Honeypots show around 2,000 exposures, primarily in the US and Germany. CISA added one CVE to its Known Exploited Vulnerabilities catalog. Fortinet customers face active exploitation with a full patch still pending.
Pre-auth RCE/SQLi since Mar 31 + CVE-2023-48788 SQLi active (CISA KEV Apr 3, thousands exposed); honeypots ~2k exposures US/DE, hotfix Apr 5 (CVE-2026-35616) but full patch pending, holiday exploits, PoC public; aligns FortiGate/CrackArmor surge.