Fortinet CVE-2026-35616 Zero-Day Under Active Exploitation Signals Nation-State Pre-Positioning Amid Rising Global Tensions
CVE-2026-35616 is being actively exploited as a zero-day by sophisticated actors, likely nation-state groups, targeting Fortinet infrastructure. This represents an urgent enterprise risk with geopolitical implications, requiring immediate patching and hunting. Original coverage understates the strategic pre-positioning dimension visible in related APT campaigns by groups tracked by Mandiant and Microsoft.
The active exploitation of Fortinet CVE-2026-35616 as a zero-day, first reported by Decipher, represents far more than a routine software flaw. While the original coverage accurately notes in-the-wild attacks, it underplays the strategic context: this vulnerability is emerging during a period of heightened geopolitical friction, including intensified great-power competition between the US, China, and Russia, ongoing hybrid operations in Ukraine, and persistent reconnaissance against critical infrastructure in the Indo-Pacific.
Drawing on patterns from previous Fortinet campaigns, this CVE fits the established playbook of Chinese-linked APT groups such as Volt Typhoon and UNC3886, who have repeatedly targeted FortiGate and FortiOS appliances for persistent access. Mandiant's 2024 analysis of APT41 and related clusters documented how similar SSL-VPN and authentication bypass flaws were leveraged for months before public disclosure to map defense contractor and energy sector networks. Microsoft's Threat Intelligence Center has similarly tracked state actors using Fortinet devices as initial access brokers for broader supply-chain compromises.
What the original Decipher piece missed is the likely dual-use nature of these exploits: not merely opportunistic crime but deliberate pre-positioning. In an environment where cyber operations increasingly serve as the opening moves in potential kinetic conflict, leaving these systems unpatched effectively grants adversaries persistent footholds inside Western enterprise and government perimeters. CISA's Known Exploited Vulnerabilities catalog has repeatedly shown that Fortinet flaws rise to the top of adversary target lists precisely because they sit at the boundary between IT and OT environments.
The risk is asymmetric. Smaller enterprises and mid-market organizations with limited patch management resources face the highest exposure, creating a patchwork of weak nodes that sophisticated actors can use to pivot into larger targets. Historical data from the 2022-2024 wave of Fortinet exploitation demonstrates that once initial access is gained, threat actors rapidly deploy custom tooling and establish command-and-control channels that are difficult to dislodge.
This incident demands immediate prioritization. Organizations should not only apply the patch but also conduct urgent log analysis for indicators of compromise dating back at least 90 days. In the current climate of strategic competition, treating this as a mere technical update would be a serious miscalculation.
SENTINEL: This zero-day is almost certainly being used by state-linked actors for long-term access into enterprise and critical infrastructure networks. Organizations that delay patching are effectively volunteering as soft targets in an environment of escalating strategic competition.
Sources (3)
- [1]Fortinet CVE-2026-35616 Actively Exploited as Zero Day(https://decipher.sc/2026/04/04/fortinet-cve-2026-35616-actively-exploited/)
- [2]APT Groups Exploit Fortinet Vulnerabilities for Persistent Access(https://www.mandiant.com/resources/blog/apt-actors-exploit-fortinet)
- [3]Threat Actors Continue to Exploit Fortinet Vulnerabilities(https://www.microsoft.com/en-us/security/blog/2024/03/14/)