CISA lists critical Fortinet bug

On April 6, CISA did something that always gets security teams moving fast: it added a Fortinet bug, CVE-2026-35616, to the federal government’s Known Exploited Vulnerabilities catalog. That list is not a watchlist for theoretical risk. It is CISA’s running record of flaws that attackers are already using in the wild. For federal civilian agencies, a KEV entry comes with a clock, and this one came with almost no time at all: patch by April 9. (cisa.gov, cisa.gov) The vulnerable product is FortiClient EMS, Fortinet’s server for managing endpoint security software across a company’s fleet of laptops and desktops. It is the kind of tool administrators use to push settings, enroll devices, and keep policy consistent. That also makes it a tempting target. If an attacker gets control of the management server, the compromise can spread outward from a single administrative hub. (fortiguard.fortinet.com, bleepingcomputer.com) Fortinet says the flaw is an access-control failure in the product’s API. In plain terms, the server can be tricked into accepting requests it should reject. The company’s advisory says an unauthenticated attacker can use crafted requests to execute unauthorized code or commands, which is worse than a simple login bypass: it means an attacker may be able to make the server do work on their behalf before anyone signs in. (fortiguard.fortinet.com) That is why the bug has generated some confusion in shorthand summaries. CISA’s catalog classifies CVE-2026-35616 as an “improper access control” vulnerability, while some reporting and social posts describe the effect as privilege escalation. Both point to the same practical outcome for defenders: a system that should have been fenced off can be driven by an outsider. BleepingComputer, citing researcher Defused, described the issue as a pre-authentication API access bypass that lets attackers skip both authentication and authorization checks. (cisa.gov, bleepingcomputer.com) Fortinet published its advisory on April 4 and said it had already seen exploitation in the wild. The company says the affected versions are FortiClient EMS 7.4.5 and 7.4.6. Version 7.2 is not affected, and the permanent fix is slated for 7.4.7, but Fortinet is telling customers on 7.4.5 and 7.4.6 not to wait for that release and to install emergency hotfixes now. (fortiguard.fortinet.com) The speed of the timeline is part of the story. Fortinet’s notice landed on Saturday, April 4. CISA added the bug to KEV on Monday, April 6. Federal agencies then got until Wednesday, April 9, to remediate it under Binding Operational Directive 22-01, the rule that turns KEV entries into patch deadlines for the civilian side of the U.S. government. Outside government, the directive does not apply, but CISA explicitly says other organizations should treat KEV listings as a priority signal in their own vulnerability programs. (fortiguard.fortinet.com, cisa.gov, cisa.gov) This is also the second FortiClient EMS emergency in quick succession. In February, Fortinet patched CVE-2026-21643, another critical FortiClient EMS flaw that allowed remote code execution and was later also flagged as exploited in the wild. When the same product line takes two critical hits within weeks, defenders stop thinking only about one patch and start thinking about exposure: which servers are internet-facing, which business units run them, and whether the inventory is complete. (fortiguard.fortinet.com, bleepingcomputer.com) Researchers have offered one more concrete reason for urgency. Defused said it found the flaw being exploited as a zero-day before disclosure, and Shadowserver told BleepingComputer it had identified more than 2,000 exposed FortiClient EMS instances online, many in the United States and Germany. For a security team reading CISA’s April 9 deadline, that turns an abstract patch notice into a very specific job: find every exposed EMS server, apply the hotfix, and make sure the one machine meant to manage the fleet is not the machine an attacker is already using to reach it. (bleepingcomputer.com)