CISA orders feds to patch exploited Fortinet EMS flaw by Friday
CISA orders federal agencies to patch actively exploited Fortinet EMS vulnerability by Friday.
Summary
CISA has added CVE-2026-35616, a pre-authentication API access bypass in Fortinet FortiClient Enterprise Management Server, to its Known Exploited Vulnerabilities catalog and mandated that federal agencies patch by April 9. The flaw allows unauthenticated attackers to bypass authentication and execute code; Fortinet released emergency hotfixes after observing active exploitation. Shadowserver estimates nearly 2,000 FortiClient EMS instances exposed online, with over 1,400 in the US and Europe.
Full text
CISA orders feds to patch exploited Fortinet EMS flaw by Friday By Sergiu Gatlan April 6, 2026 12:02 PM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. Tracked as CVE-2026-35616, this security flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that can allow attackers to bypass authentication and authorization controls entirely. Fortinet released emergency hotfixes over the weekend to address the vulnerability and said the security issue stems from an improper access control weakness that unauthenticated attackers can exploit to execute code or commands via specially crafted requests. The company also warned that threat actors had been exploiting it in zero-day attacks and warned IT administrators to secure their EMS instances as soon as possible by applying the hotfixes or upgrading to FortiClient EMS version 7.4.7 when it becomes available. "Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6," the company said. Internet security watchdog group Shadowserver currently tracks nearly 2,000 FortiClient EMS instances exposed online, with more than 1,400 IPs in the United States and in Europe. However, there are no details on how many have already been patched or have vulnerable configurations. FortiClient EMS instances exposed online (Shadowserver) On Monday, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch FortiClient EMS instances by Thursday midnight, April 9, as mandated by Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Even though BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders (including those in the private sector) to prioritize patching for CVE-2026-35616 and secure their organizations' networks as soon as possible. Fortinet patched another critical FortiClient EMS flaw (CVE-2026-21643) in February, which was also flagged less than two weeks ago as exploited in attacks. Fortinet vulnerabilities are often exploited in cyber espionage campaigns and ransomware attacks (often as zero-day bugs) to breach corporate networks. Most recently, Fortinet blocked FortiCloud SSO connections from devices running vulnerable firmware versions to mitigate CVE-2026-24858 zero-day attacks. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: New FortiClient EMS flaw exploited in attacks, emergency patch releasedCritical Fortinet Forticlient EMS flaw now exploited in attacksCISA: New Langflow flaw actively exploited to hijack AI workflowsCISA orders feds to patch max-severity Cisco flaw by SundayWordPress membership plugin bug exploited to create admin accounts
Indicators of Compromise
- cve — CVE-2026-35616
- cve — CVE-2026-21643
- cve — CVE-2026-24858