CISA warns of actively exploited Fortinet FortiClient EMS flaw and gives agencies three days to patch

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

CISA has added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, which means federal agencies now need to fix the Fortinet FortiClient EMS flaw by April 9, 2026. The move follows Fortinet’s own warning that attackers are already exploiting the bug in the wild.

The flaw affects FortiClient EMS 7.4.5 and 7.4.6. Fortinet says an unauthenticated attacker can use crafted API requests to execute unauthorized code or commands, which makes this a serious risk for internet-exposed EMS deployments.

BEST SPRING 2026 DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Fortinet has released emergency hotfixes for both affected versions, and the company says the upcoming 7.4.7 release will also contain a permanent fix. FortiClient EMS 7.2 is not affected.

Why CISA moved quickly

CISA’s KEV addition matters because it turns a vendor warning into a federal patching deadline. Under Binding Operational Directive 22-01, US civilian federal agencies must either apply the fix by the deadline, follow vendor mitigations, or stop using the affected product.

That short window shows how seriously CISA views the threat. The agency only adds flaws to the KEV catalog when it has evidence of real-world exploitation, and Fortinet has already said it observed attacks in the wild.

This is also the second actively exploited FortiClient EMS issue in a short span. That raises fresh concerns around how many organizations still expose EMS management systems to the public internet.

What the vulnerability does

Fortinet classifies CVE-2026-35616 as an improper access control issue in the API layer of FortiClient EMS. In practical terms, the flaw lets an attacker bypass normal API authentication and authorization checks without logging in first.

Fortinet’s advisory says the outcome can include unauthorized code or command execution. Security reporting also describes the bug as a pre-authentication API access bypass, which explains why defenders see it as especially dangerous on internet-facing systems.

The official severity score still looks slightly inconsistent across public sources. Fortinet’s advisory page lists a CVSS v3 score of 9.1, while other security databases and follow-up reports sometimes present stronger wording around remote code execution. Even so, the vendor’s own language and CISA’s action make the urgency clear.

Exposure and threat picture

Security reporting says Shadowserver found more than 2,000 FortiClient EMS instances exposed online, with many located in the United States and Germany. That does not mean all of them remain vulnerable, but it does show that the attack surface is large enough to worry defenders.

Fortinet credited Simo Kohonen from Defused and Nguyen Duc Anh for reporting the bug. BleepingComputer also reported that Defused observed exploitation before public disclosure, which suggests attackers found and used the flaw before many customers knew it existed.

One detail stands out in Fortinet’s advisory. The summary clearly says Fortinet observed exploitation in the wild, yet a metadata field on the same page shows “Known Exploited: No.” CISA’s KEV listing resolves that conflict in practice, since the agency’s catalog entry confirms exploitation strongly enough to trigger a federal deadline.

Affected versions and fix status

ProductAffected versionsStatus
FortiClient EMS7.4.5, 7.4.6Hotfix available now
FortiClient EMS7.4.7Upcoming release will include fix
FortiClient EMS7.2 branchNot affected
FortiClient CloudN/AAlready remediated by Fortinet
FortiSASEN/AAlready remediated by Fortinet

What admins should do now

  • Install Fortinet’s emergency hotfix on any EMS 7.4.5 or 7.4.6 server immediately.
  • Restrict external access to EMS management interfaces until patching is complete. This is a defensive step based on the flaw’s unauthenticated network attack path.
  • Review EMS logs for suspicious API requests or unusual admin activity, especially on any system that was internet-facing before patching.
  • Plan to move to 7.4.7 when it becomes available, even if you already applied the hotfix.

FAQ

What is CVE-2026-35616?

It is a critical FortiClient EMS API access control flaw that can let an unauthenticated attacker bypass protections and execute unauthorized code or commands through crafted requests.

Which versions are affected?

Fortinet says only FortiClient EMS 7.4.5 and 7.4.6 are affected. The 7.2 branch is not affected.

Is the bug under active attack?

Yes. Fortinet says it observed exploitation in the wild, and CISA added the flaw to the KEV catalog on April 6, 2026.

What is the patch deadline for federal agencies?

CISA says federal civilian agencies must remediate by April 9, 2026.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages