The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday.
Tracked as CVE-2026-35616, this security flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that can allow attackers to bypass authentication and authorization controls entirely.
Fortinet released emergency hotfixes over the weekend to address the vulnerability and said the security issue stems from an improper access control weakness that unauthenticated attackers can exploit to execute code or commands via specially crafted requests.
The company also warned that threat actors had been exploiting it in zero-day attacks and warned IT administrators to secure their EMS instances as soon as possible by applying the hotfixes or upgrading to FortiClient EMS version 7.4.7 when it becomes available.
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company said.
Internet security watchdog group Shadowserver currently tracks nearly 2,000 FortiClient EMS instances exposed online, with more than 1,400 IPs in the United States and in Europe. However, there are no details on how many have already been patched or have vulnerable configurations.
On Monday, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch FortiClient EMS instances by Thursday midnight, April 9, as mandated by Binding Operational Directive (BOD) 22-01.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Even though BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders (including those in the private sector) to prioritize patching for CVE-2026-35616 and secure their organizations’ networks as soon as possible.
Fortinet patched another critical FortiClient EMS flaw (CVE-2026-21643) in February, which was also flagged less than two weeks ago as exploited in attacks.
Fortinet vulnerabilities are often exploited in cyber espionage campaigns and ransomware attacks (often as zero-day bugs) to breach corporate networks. Most recently, Fortinet blocked FortiCloud SSO connections from devices running vulnerable firmware versions to mitigate CVE-2026-24858 zero-day attacks.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
