A critical zero-day vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild, prompting emergency patches and an urgent advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Tracked as CVE-2026-35616, the flaw carries a CVSS score of 9.8 out of 10 — placing it firmly in the critical severity category — and has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
What Is CVE-2026-35616?
CVE-2026-35616 is an improper access control vulnerability (CWE-284) in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6. The flaw allows an unauthenticated remote attacker to execute unauthorized code or commands on the affected system by sending specially crafted requests to the EMS API. Because no authentication is required, the attack surface is extremely broad — any FortiClient EMS instance exposed to the internet is potentially at risk.
Threat intelligence firm Defused Cyber was among the first to publicly document active exploitation of this vulnerability, noting that adversaries were already leveraging the flaw before Fortinet released its initial hotfix. The speed at which exploitation followed disclosure underscores just how dangerous pre-authentication remote code execution bugs can be in enterprise security software.
CISA Adds CVE-2026-35616 to the KEV Catalog
On April 6, 2026, CISA formally added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, the agency’s authoritative list of security flaws confirmed to be under active attack. Under the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies were required to apply available mitigations by April 9, 2026 — an extraordinarily tight remediation window that reflects the severity of the threat.
While the BOD applies specifically to federal agencies, CISA strongly recommends that all organizations running FortiClient EMS treat this as a priority remediation effort regardless of sector.
Affected Versions and Available Fixes
The vulnerability affects FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet has released an emergency hotfix to address the issue while a full patch — expected in version 7.4.7 — is finalized. Additionally, a second related vulnerability, CVE-2026-21643, affecting the same product has also been reported as actively exploited, compounding the urgency for organizations to act.
- Hotfix available: Fortinet has published an out-of-band security update for affected EMS versions
- Full patch: Expected in FortiClient EMS 7.4.7
- Workaround: Where possible, restrict EMS API access to trusted IP ranges via firewall rules
Why FortiClient EMS Is a High-Value Target
FortiClient EMS is a centralized management platform for Fortinet’s endpoint security suite. It allows administrators to deploy, configure, and monitor FortiClient agents across thousands of endpoints. Compromising the EMS server gives an attacker a powerful foothold: they can potentially push malicious configurations to all managed endpoints, intercept VPN credentials, or disable security protections organization-wide. This makes it an attractive target for ransomware operators, state-sponsored threat actors, and cybercriminal groups alike.
What Security Teams Should Do Now
Organizations running FortiClient EMS should take the following steps immediately:
- Apply the Fortinet hotfix immediately if running EMS 7.4.5 or 7.4.6
- Check logs for suspicious API activity prior to patching, as exploitation may have already occurred
- Isolate the EMS server from direct internet exposure using network-level controls
- Monitor CISA KEV and Fortinet advisories for updates on CVE-2026-21643 and the full 7.4.7 release
- Engage incident response resources if anomalous behavior is detected on the EMS or managed endpoints
The Bigger Picture
CVE-2026-35616 follows a troubling pattern of critical vulnerabilities in widely-deployed network security products being weaponized at scale. Security teams must prioritize rapid patching of internet-facing security infrastructure — the very tools meant to protect organizations are increasingly becoming attack vectors themselves. The combination of a near-perfect CVSS score, active exploitation, and a CISA emergency directive makes this one of the most urgent vulnerabilities of 2026 to date.