Critical Fortinet EMS vulnerability flagged
CISA added a critical Fortinet FortiClient EMS vulnerability (CVE‑2026‑35616) to its Known Exploited Vulnerabilities list and urged organisations to patch immediately, with April 9 called out as a remediation target. (x.com) The flaw scored high severity and was moved to the highest‑priority list because it’s already being actively exploited, so exposed endpoints and management consoles should be patched or isolated without delay. (x.com)
Critical Fortinet EMS vulnerability flagged A newly cataloged Fortinet flaw has jumped to the top of many defenders’ patch queues after the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, added it to the Known Exploited Vulnerabilities catalog on April 6, 2026. The issue, tracked as CVE-2026-35616, affects Fortinet FortiClient Enterprise Management Server, or FortiClient EMS, and was added because it is already being exploited in the wild. (cisa.gov) FortiClient EMS is the management server that lets administrators deploy, configure, and monitor Fortinet’s endpoint security software across large fleets of laptops and desktops. In practical terms, it is a central control point for endpoint agents, which means a compromise can give an attacker a valuable foothold inside an organization’s security management layer. (fortiguard.com) Fortinet describes CVE-2026-35616 as an improper access control vulnerability, classified under CWE-284. According to the company’s advisory, the flaw may allow an unauthenticated attacker to execute unauthorized code or commands by sending crafted requests to a vulnerable FortiClient EMS system. (fortiguard.com) That combination is what makes this bug especially dangerous. “Unauthenticated” means the attacker may not need valid credentials first, and “code or commands” means the attacker may be able to make the server do things it was never supposed to do, potentially turning a management console into an entry point for broader network access. This interpretation follows directly from Fortinet’s description of the vulnerability’s impact. (fortiguard.com) CISA’s Known Exploited Vulnerabilities catalog is not a general list of serious bugs. It is a curated list of vulnerabilities that CISA says have been exploited in real-world attacks and that pose significant risk. CISA explicitly says organizations should use the catalog to prioritize remediation on the smaller set of flaws causing immediate harm. (cisa.gov) For federal civilian agencies, inclusion in the catalog triggers formal remediation expectations under Binding Operational Directive 22-01. In its April 6 alert, CISA said agencies must remediate the Fortinet FortiClient EMS vulnerability by the listed action due date, which the catalog shows as April 9, 2026. (cisa.gov) Private-sector organizations are not bound by that directive in the same way, but the signal is still hard to miss. When a flaw moves into the Known Exploited Vulnerabilities catalog within days of disclosure and the vendor confirms exploitation in the wild, security teams usually treat it as an active incident-response problem, not a routine maintenance item. That is an inference based on CISA’s prioritization model and Fortinet’s exploitation warning. (cisa.gov) Fortinet says affected customers should install hotfixes for FortiClient EMS 7.4.5 and 7.4.6, and it adds that FortiClient EMS 7.4.7 will also include a fix. The vendor’s advisory specifically urges vulnerable customers to apply the hotfixes immediately. (fortiguard.com) If an organization cannot patch immediately, the safest short-term move is to reduce exposure around the EMS server itself. Because Fortinet says exploitation can happen through crafted requests from an unauthenticated attacker, internet-exposed management interfaces and reachable consoles should be isolated, restricted, or taken off public access until fixes are in place. That recommendation is an inference from the attack path Fortinet described. (fortiguard.com) This also fits a broader pattern in enterprise security: management servers are high-value targets because they sit above many endpoints at once. A flaw in a single endpoint agent matters, but a flaw in the system that manages thousands of those agents can give attackers leverage across an entire environment. FortiClient EMS’s role as a centralized administration platform is what raises the stakes here. (fortiguard.com) The immediate takeaway is simple. If your organization runs Fortinet FortiClient Enterprise Management Server, check whether it is on an affected version, apply Fortinet’s hotfix or move to a fixed release path, and treat any exposed EMS instance as urgent until it is patched. CISA’s April 6, 2026 addition to the Known Exploited Vulnerabilities catalog means this is no longer a theoretical risk. (cisa.gov)
