Interlock/The Gentlemen exploiting appliances (FortiClient EMS CISA KEV/JetBrains TeamCity/Cisco/MS DogWalk/BlueHammer/Chrome WebGPU/PHP CGI/Progress ShareFile/Next.js/Flowise/GoAnywhere/SmarterMail/Oracle/WebLogic/ServiceNow/F5/Wazuh/NK Axios/OpenClaw)

Key Questions

What is the main vulnerability in FortiClient EMS?

CVE-2026-35616 is a CVSS 9.8 pre-auth RCE in FortiClient EMS, under active exploitation with thousands of exposed systems. Fortinet issued an emergency hotfix as a full patch is pending.

What other Fortinet vulnerabilities are being exploited?

CVE-2023-48788 (SQLi, KEV since Apr 2022) and CVE-2026-21643 (SQLi active since Mar 2025) in FortiGate and related products have thousands exposed, including 2k+ in US/DE.

What is Progress ShareFile's vulnerability?

CVE-2026-2699 and CVE-2026-2701 are RCE flaws in Progress ShareFile, exploited by groups like Interlock and The Gentlemen. They enable unauthorized access in enterprise file sharing.

How is Chrome affected in these exploits?

Chrome's CVE-2026-5281 is a WebGPU UAF vulnerability added to CISA KEV, with over 146 exploits. It's targeted in appliance exploitation chains.

What zero-days is Storm-1175 using?

Storm-1175 exploits GoAnywhere CVE-2025-10035 and SmarterMail CVE-2026-23760 zero-days for rapid ransomware deployment. These chain into broader appliance attacks.

What is the TeamCity vulnerability status?

JetBrains TeamCity has an RCE flaw with 30k exposed instances. It's part of the appliance exploitation trend by Interlock and affiliates.

What other critical flaws are mentioned?

Dgraph has a CVSS 10 auth bypass; Flowise CVSS 10 RCE. These are weaponized in supply chain attacks alongside Oracle WebLogic, F5, and ServiceNow.

What mitigations are advised for these exploits?

Implement inventory management, patch configurations, IOC monitoring, whitelists, logs, NIDS, WAFs, and RBVM. Prioritize exposed appliances like FortiClient EMS.

FortiClient EMS CVE-2026-35616 (9.8 RCE auth bypass CISA KEV/hotfix 7.4.7/2k+ exposed/exploited Mar31) + CVE-2026-21643/-2023-48788 SQLi KEV; MS BlueHammer LPE; Progress ShareFile CVE-2026-2699/2701 RCE; Chrome CVE-2026-5281 KEV (146+); TeamCity RCE (30k); Storm-1175 GoAnywhere/SmarterMail/BeyondTrust/CrushFTP ZDs; supply chain OSS 97% high/crit. Inventory/patch configs/IOCs/whitelists/logs/NIDS/WAFs/SBOM/RBVM.

Sources (51)

Updated Apr 8, 2026

Interlock/The Gentlemen exploiting appliances (FortiClient EMS CISA KEV/JetBrains TeamCity/Cisco/MS DogWalk/BlueHammer/Chrome WebGPU/PHP CGI/Progress ShareFile/Next.js/Flowise/GoAnywhere/SmarterMail/Oracle/WebLogic/ServiceNow/F5/Wazuh/NK Axios/OpenClaw)

Key Questions

What is the main vulnerability in FortiClient EMS?

What other Fortinet vulnerabilities are being exploited?

What is Progress ShareFile's vulnerability?

How is Chrome affected in these exploits?

What zero-days is Storm-1175 using?

What is the TeamCity vulnerability status?

What other critical flaws are mentioned?

What mitigations are advised for these exploits?

Windows zero-day vulnerability 'BlueHammer' exploit code released

BlueHammer Windows Zero-Day: Privilege Escalation Risk

FortiClientEMS Vulnerabilities Under Active Exploitation, Expose Systems to RCE

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware

A Two-Year-Old Fortinet Bug Is Now Under Active Attack — and Thousands of Systems Remain Exposed

Fortinet customers confront actively exploited zero-day, with a full patch still pending

Attackers exploited this critical FortiClient EMS bug as a 0-day

Fortinet FortiClient EMS Zero-Day: CVE-2026-35616 (Active Exploitation Underway) | watchTowr

Critical flaw in FortiClient EMS under exploitation

Fortinet Issues Emergency Patch for FortiClient Zero-Day

Attackers Target Zero-Day Flaw in Fortinet Security Software

CVE-2026-35616: Fortinet fixes actively exploited high-severity flaw

Critical Fortinet vulnerability already being used in attacks - HackYourMom

New FortiClient EMS flaw exploited in attacks, emergency patch released

Weaponizing human trust to bypass security

$285M Crypto Hack, LinkedIn Privacy Scandal, Cisco Data Leak | Cybersecurity News

The Security Gap Nobody Talks About

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

FortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616)

Zero Day Dispatch: Inside the Underground Market for Unpatchable Flaws

Cyber threats evolve as Google reveals spike in zero-day bugs

Microsoft Patches Zero-Day DogWalk Vulnerability

A Single Cookie, a Backdoor, and Full Server Control: Inside the PHP Exploit Microsoft Just Exposed

Cyber Daily News for April 3, 2026

Weaponizing JetBrains TeamCity: Full RCE Exploit & Immediate Mitigations #cybersecurity

Cybersecurity Today: EU Cloud Breach, Axios Supply Chain Attack, React2Shell Exploits &...

Progress ShareFile vulnerabilities allow unauthenticated file exfiltration

Cyware Daily Threat Intelligence, April 03, 2026

Three Critical RCE Vulnerabilities in Microsoft Software Identified ...

Critical RCE in Wazuh Cluster - CVE-2026-25769 | TryHackMe Wazuh Full Walkthrough 2026

CVE-2026-3910 Deep Dive: How Remote Attackers are Hijacking Google Chrome #cybersecurity

Cisco Warns of Critical IMC Vulnerability Enabling Authentication Bypass

CVE-2026-5281: Chrome WebGPU Zero-Day Exploited In The Wild

Attacks Rewritten: Where Malware Enters the Build | Assemble 2026

Eclypsium Detects F5 BIG-IP Remote Code Execution Vulnerability (CVE-2025-53521)

STOP! Linux Users Are Being Targeted — The Systemd Vulnerability Nobody is Talking About

Chrome Vulnerability CVE-2026-5281 Exploited in the Wild

Apple’s Quiet Scramble: How a Zero-Day Exploit Chain Forced Emergency Patches Across Every Device You Own

IMPORTANT: Vivaldi Security Update Fixes an Actively Exploited ZERO-DAY + Bugs!

New Chrome Zero-Day Vulnerability Actively Exploited in Attacks — Patch Now

ServiceNow Admin Takeover: The Exploit Nobody Saw Coming

Google fixes Chrome zero-day with in-the-wild exploit (CVE-2026-5281) - Help Net Security

CISO Playbook for Fast Zero-Day Exploit Detection

Hackers Actively Exploiting Critical WebLogic RCE Vulnerabilities in Attacks | Cryptika Cybersecurity

IMPORTANT: Update Chrome Now to Fix a ZERO-DAY Security Vulnerability & More!

Is Your Android Vulnerable? CVE-2025-61612 Drops Connections & Forces Reboots #cybersecurity

FortiGuard Outbreak Alert (Walkthrough): Oracle E-Business Suite RCE Zero-day

Google fixes actively exploited Chrome zero-day flaw, update now

Multiple Vulnerabilities in Apple Products Could Allow for Privilege ...

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released

Google fixes fourth Chrome zero-day exploited in attacks in 2026