The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive concerning a critical vulnerability identified as CVE-2026-35616 in Fortinet’s FortiClient Enterprise Management Server (EMS). This vulnerability, added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, necessitates urgent remediation by federal agencies by April 9, 2026.
Underlining the Severity of CVE-2026-35616
The identified flaw, CVE-2026-35616, is a critical improper access control vulnerability with a CVSS score of 9.1, affecting FortiClient EMS versions 7.4.5 and 7.4.6. Notably, versions in the 7.2 branch are not impacted. This vulnerability allows attackers to bypass API authentication, escalating privileges without requiring valid user credentials.
According to Fortinet’s advisory (FG-IR-26-099), the vulnerability enables unauthorized actors to execute malicious code via crafted HTTP requests, posing a significant risk to exposed EMS systems.
Active Exploitation and Response
Exploitation of this zero-day vulnerability was first observed on March 31, 2026, by watchTowr, which detected unauthorized attempts on its honeypots. Researchers Simo Kohonen of Defused Cyber and Nguyen Duc Anh reported this vulnerability responsibly. Fortinet confirmed the active exploitation in an urgent advisory, urging affected users to apply the hotfixes for versions 7.4.5 and 7.4.6 promptly.
This incident marks the second critical vulnerability in FortiClient EMS in recent weeks, highlighting the potential security risks for internet-facing deployments. Successful exploitation can lead to unauthorized code execution and potentially allow attackers to infiltrate networks further.
Urgency of Mitigation and Broader Implications
CISA’s directive under Binding Operational Directive (BOD) 22-01 underscores the urgency of mitigating this vulnerability, with a strict deadline for federal agencies set for April 9, 2026. The rapid response underscores the critical nature of the threat.
The Shadowserver Foundation has identified over 2,000 publicly accessible FortiClient EMS instances globally, with two confirmed cases of active exploitation. This widespread exposure increases the urgency for administrators to secure their systems against this critical vulnerability.
In conclusion, the swift action by CISA and Fortinet emphasizes the importance of addressing cybersecurity threats promptly. Organizations using affected FortiClient EMS versions are urged to implement the necessary patches to safeguard their infrastructure.
