Fortinet zero‑day added to KEV

Fortinet zero-day added to KEV A security hole in Fortinet’s FortiClient Enterprise Management Server just moved from “vendor advisory” to “federal emergency.” On April 6, 2026, the Cybersecurity and Infrastructure Security Agency added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, which is the U.S. government’s running list of flaws already being used in real attacks. (cisa.gov) FortiClient Enterprise Management Server, usually shortened to FortiClient EMS, is the central console many organizations use to manage endpoint security settings, push updates, enforce policy, and collect compliance status from employee devices. If that server is compromised, the problem is not limited to one laptop or one user account, because the management layer itself becomes untrustworthy. (fortiguard.fortinet.com) The newly listed flaw is CVE-2026-35616, and Fortinet describes it as an improper access control issue in FortiClient EMS. In plain terms, the server can fail to verify who is allowed to use certain application programming interface requests, which opens the door for an attacker who has not signed in. (fortiguard.fortinet.com) Fortinet says the bug can let an unauthenticated attacker execute unauthorized code or commands through crafted requests. That is a serious jump in impact, because the attacker does not need a valid password first and may be able to make the management server do things it should only do for trusted administrators. (fortiguard.fortinet.com) CISA’s decision to place the flaw in the Known Exploited Vulnerabilities catalog means the agency has evidence of active exploitation. This is not a theoretical weakness waiting for a proof of concept, and it is not just another high score in a long backlog of patch notices. (cisa.gov, cisa.gov) For federal civilian executive branch agencies, the listing came with a deadline. CISA said agencies covered by Binding Operational Directive 22-01 must remediate the vulnerability by April 9, 2026, which left only three days between the public alert and the due date. (cisa.gov) Fortinet’s own advisory adds another important detail: the company has observed exploitation in the wild. The affected versions are FortiClient EMS 7.4.5 through 7.4.6, while FortiClient EMS 7.2 is listed as not affected. (fortiguard.fortinet.com) The immediate fix path is unusually specific. Fortinet is urging customers on versions 7.4.5 and 7.4.6 to install a hotfix now, and it says FortiClient EMS 7.4.7 also includes a fix for CVE-2026-35616. (fortiguard.fortinet.com, docs.fortinet.com) That matters because FortiClient EMS is not just another internal web application. It is the place where security teams often check whether endpoints are patched, whether compliance rules are being enforced, and whether remote devices are reporting healthy status back to the organization. If an attacker can tamper with that layer, the dashboards may still look normal while the underlying control evidence is no longer reliable. This last point is an inference from EMS’s management role and the nature of the bypass, rather than a direct claim from CISA or Fortinet. (fortiguard.fortinet.com) That is why this story is bigger than one Common Vulnerabilities and Exposures entry. A pre-authentication bypass in a management server can affect patch governance, exception handling, and audit evidence all at once, because the same platform often sits in the middle of policy enforcement and reporting. This is also an inference based on how endpoint management systems are typically used in enterprise environments. (fortiguard.fortinet.com, cisa.gov) For security teams, the practical response is not only “patch fast.” It is also “confirm trust,” which means checking whether the hotfix or upgrade was applied, documenting any systems that could not be updated before the deadline, and treating compliance data from exposed FortiClient EMS servers with extra caution until the environment is verified clean. That operational recommendation is based on the confirmed active exploitation, the federal remediation urgency, and the privileged role of the server. (cisa.gov, fortiguard.fortinet.com) The short version is simple. A flaw in Fortinet’s endpoint management server is being actively exploited, CISA formally elevated it on April 6, 2026, and Fortinet says customers on the affected 7.4 branch should apply the hotfix or move to version 7.4.7. (cisa.gov, fortiguard.fortinet.com, docs.fortinet.com)