Attackers Target Zero-Day Flaw in Fortinet Security Software

Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) software, allowing for unauthenticated remote code or command execution. This flaw is one of two critical vulnerabilities actively targeted by malicious actors, posing an immediate and severe risk to organizations utilizing the affected product. Fortinet has acknowledged the active exploitation, releasing an urgent hotfix to address the zero-day and promising a comprehensive patch in the near future ¹. The vendor’s rapid response, published on April 6, 2026, underscores the severity of the threat, particularly as the unauthenticated nature of the remote code execution facilitates broad exploitation without requiring prior access credentials. The ongoing campaign demands immediate attention from network defenders. Organizations relying on FortiClient EMS are strongly advised to assess their exposure without delay and apply the available hotfix. Given the confirmed in-the-wild exploitation, the window for preventative patching is closing rapidly, making prompt remediation essential to prevent unauthorized system control and potential data compromise.