The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35616, a critical improper access control vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, mandating federal agencies to remediate by April 9, 2026.
CVE-2026-35616 is a critical-severity flaw rooted in CWE-284 (Improper Access Control), carrying a CVSS score of 9.1. The vulnerability specifically affects FortiClient EMS versions 7.4.5 and 7.4.6, while the 7.2 branch remains unaffected.
The flaw functions as a pre-authentication API access bypass, enabling privilege escalation without any valid credentials.
According to Fortinet’s official advisory (FG-IR-26-099), the vulnerability allows an unauthenticated attacker to sidestep API authentication and authorization protections and execute malicious code or commands via specially crafted HTTP requests.
This effectively grants threat actors an unauthenticated remote code execution (RCE) primitive against exposed EMS deployments.
Active exploitation of this zero-day was first recorded on March 31, 2026, when watchTowr detected exploitation attempts against its honeypots. Security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh are credited with discovering and responsibly reporting the flaw.
Fortinet confirmed in-the-wild exploitation in its weekend emergency advisory, stating it “urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”.
The rapid confirmation from Fortinet following Defused Cyber’s public disclosure highlights the severity and immediacy of the threat. This marks the second critical EMS vulnerability exploited in a matter of weeks, raising concerns about the attack surface exposed by internet-facing FortiClient EMS deployments.
Successful exploitation allows an attacker to:
- Bypass API authentication and authorization controls without any credentials.
- Execute unauthorized code or commands remotely via crafted requests.
- Potentially gain an initial foothold in the target network, enabling lateral movement or malware deployment.
- Escalate privileges within the EMS environment, compromising connected endpoint clients.
The EMS telemetry endpoint, which typically needs to be internet-accessible to receive telemetry from enrolled endpoints, significantly widens the attack surface for this vulnerability.
CISA’s addition to the KEV catalog under Binding Operational Directive (BOD) 22-01 mandates that all U.S. federal civilian executive branch agencies apply mitigations no later than April 9, 2026. The short three-day remediation window reflects the critical nature of active exploitation.
The Shadowserver Foundation has issued an urgent warning to administrators of FortiClient Enterprise Management Server (EMS). They have identified more than 2,000 publicly accessible instances worldwide, with two of these confirmed to be actively exploited due to critical unauthenticated remote code execution (RCE) vulnerabilities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
