Critical Fortinet Zero-Day Exploited in Wild, Malicious npm Campaign Targets Databases

Fortinet FortiClient EMS Zero-Day Under Active Attack

Fortinet has issued out-of-band security patches for CVE-2026-35616, a critical vulnerability in FortiClient EMS with a CVSS score of 9.1 that threat actors are actively exploiting in the wild. The flaw represents a pre-authentication API access bypass leading to privilege escalation.

The vulnerability stems from improper access control (CWE-284) that allows attackers to bypass authentication mechanisms and escalate privileges without legitimate credentials. Fortinet's emergency patch release indicates the severity of ongoing exploitation campaigns targeting enterprise environments.

Organizations running FortiClient EMS should prioritize immediate patching, as the pre-authentication nature of the vulnerability significantly lowers the barrier to exploitation.

Supply Chain Attack: 36 Malicious npm Packages Target Database Infrastructure

Security researchers have identified 36 malicious packages in the npm registry masquerading as legitimate Strapi CMS plugins. These packages deploy sophisticated payloads designed to exploit Redis and PostgreSQL databases, establish reverse shells, harvest credentials, and maintain persistent access to compromised systems.

Each malicious package follows a consistent structure containing three files: package.json, index.js, and postinstall.js. The packages lack standard metadata such as descriptions or repository links, serving as potential indicators for detection.

The campaign demonstrates the continued evolution of supply chain attacks targeting JavaScript ecosystems, with attackers specifically focusing on database infrastructure commonly deployed alongside Node.js applications.

Microsoft Security Response Center CVE Disclosures

Microsoft's Security Response Center has published information for eight new CVE identifiers covering vulnerabilities across multiple components:

Linux Kernel Vulnerabilities:

• CVE-2026-23473: io_uring polling mechanism race condition affecting multishot receive operations
• CVE-2026-31394: mac80211 crash vulnerability in AP_VLAN station bandwidth change handling
• CVE-2026-23468: AMD GPU driver resource exhaustion through unlimited buffer object list entries
• CVE-2026-23442: IPv6 null pointer dereference in Segment Routing v6 (SRv6) code paths
• CVE-2026-23472: Serial core infinite loop condition for PORT_UNKNOWN devices

System Components:

• CVE-2026-34978: OpenPrinting CUPS path traversal vulnerability enabling arbitrary file writes outside designated cache directories
• CVE-2026-27456: util-linux mount utility time-of-check-time-of-use (TOCTOU) race condition during loop device setup
• CVE-2026-35414: Unspecified vulnerability with limited public information

These disclosures span critical system components from kernel networking stacks to printing subsystems, requiring coordinated patching efforts across Linux distributions and affected platforms.

Sources

• https://thehackernews.com/2026/04/36-malicious-npm-packages-exploited.html
• https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35414
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34978
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23473
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31394
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23468
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23442
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27456
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23472