Fortinet released an emergency out-of-band patch for CVE-2026-35616 (CVSS 9.1), a pre-authentication API access bypass in FortiClient EMS exploited as a zero-day — the second critical FortiClient EMS vulnerability in weeks after CVE-2026-21643. The bloc's cybersecurity service attributed a major continental government cloud breach to TeamPCP, exposing data from 29 additional institutional entities. The $285M Drift Protocol heist was attributed to a state-linked financial theft group after a six-month social engineering operation. Device code phishing exploiting the OAuth 2.0 Device Authorization Grant flow has surged 37x this year, targeting 340+ organizations across five countries.

Links & Resources

• ttps://thehackernews.com/2026/04/fortinet-forticlient-ems-cve-2026-35616-zero-day.html
• https://www.bleepingcomputer.com/news/security/teampcp-european-commission-cloud-breach-29-entities/
• https://thehackernews.com/2026/04/drift-protocol-285m-heist-state-linked.html
• https://www.bleepingcomputer.com/news/security/device-code-phishing-oauth-surge-37x/
• https://thehackernews.com/2026/04/cisco-imc-authentication-bypass-cve-2026-20093.html
• https://www.bleepingcomputer.com/news/security/axios-post-mortem-social-engineering-north-korea/
• https://dev.to/mrcomputerscience/breaking-cybersecurity-news-for-20260404-pithy-cyborg-threats-breaches-intel-bok
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog