CISA Flags Actively Exploited Fortinet FortiClient EMS Vulnerability

On April 6, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added a new entry to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-35616, an improper access control vulnerability affecting Fortinet FortiClient EMS. The addition is based on confirmed evidence of active exploitation in the wild, making prompt remediation a critical priority for organizations of all sizes.

What Is CVE-2026-35616?

CVE-2026-35616 is classified as an Improper Access Control vulnerability in Fortinet FortiClient EMS (Enterprise Management Server). Improper access control flaws occur when an application fails to correctly enforce restrictions on what authenticated — or unauthenticated — users can do or access. In practice, this class of vulnerability can allow threat actors to bypass authorization checks, gain elevated privileges, access sensitive data, or execute unauthorized actions on affected systems.

Fortinet FortiClient EMS is widely deployed across enterprise environments to centrally manage endpoint security policies and FortiClient deployments. Its broad adoption makes this vulnerability particularly significant: a single exploitable flaw in a management server can provide attackers with a foothold deep within a corporate network.

Why the KEV Catalog Matters

CISA's Known Exploited Vulnerabilities Catalog was established under Binding Operational Directive (BOD) 22-01, titled Reducing the Significant Risk of Known Exploited Vulnerabilities. The catalog serves as a continuously updated, authoritative list of CVEs that carry significant risk to federal and private-sector infrastructure due to confirmed, real-world exploitation.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." — CISA

BOD 22-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies remediate KEV-listed vulnerabilities by prescribed due dates. However, CISA consistently and strongly encourages every organization — public and private — to treat KEV entries as high-priority remediation targets as part of a mature vulnerability management program.

Active Exploitation: Why This Is Urgent

The threshold for inclusion in the KEV Catalog is not theoretical risk — it requires confirmed evidence of active exploitation. This means that by the time CISA publishes a KEV entry, threat actors are already leveraging the vulnerability against real targets. Organizations that delay patching are not waiting on a theoretical future threat; they are leaving a door open that attackers are already walking through.

Improper access control vulnerabilities are a perennial favorite among malicious actors because they often require minimal technical sophistication to exploit once discovered. When paired with a widely-deployed product like Fortinet FortiClient EMS, the potential attack surface becomes substantial.

Who Is at Risk?

Any organization running Fortinet FortiClient EMS should treat CVE-2026-35616 as an immediate remediation priority. This includes:

  • Federal Civilian Executive Branch agencies (mandatory remediation under BOD 22-01)
  • State, local, tribal, and territorial (SLTT) government entities
  • Critical infrastructure operators
  • Enterprises using Fortinet solutions for endpoint management
  • Managed service providers (MSPs) managing Fortinet deployments on behalf of clients

Given the management-plane nature of FortiClient EMS, successful exploitation could have downstream effects on every endpoint under that server's management scope — amplifying the potential blast radius significantly.

Recommended Remediation Steps

Organizations should take the following actions immediately:

  • Apply available patches: Check Fortinet's official security advisories for patches addressing CVE-2026-35616 and apply them without delay.
  • Audit access controls: Review network segmentation and access policies around your FortiClient EMS deployment to limit exposure while patches are applied.
  • Monitor for indicators of compromise (IoCs): Review logs for anomalous access patterns or privilege escalation events on FortiClient EMS instances.
  • Prioritize KEV entries in your vulnerability management program: If your organization does not already treat CISA KEV entries as top-priority remediation items, this is the moment to establish that policy.
  • Review BOD 22-01 guidance: Even non-federal organizations will benefit from aligning with the KEV remediation framework CISA has established.

The Broader Context: Fortinet Under the Spotlight

This is not the first time Fortinet products have appeared in CISA's KEV Catalog. Fortinet's broad enterprise footprint — spanning firewalls, VPN gateways, and endpoint management — makes it a high-value target for nation-state actors and cybercriminal groups alike. Past Fortinet vulnerabilities have been exploited by advanced persistent threat (APT) groups to gain initial access to government and critical infrastructure networks. The addition of CVE-2026-35616 continues this pattern and underscores the importance of maintaining a rigorous, ongoing patch cadence for all Fortinet products in your environment.

Conclusion: Act Now, Not Later

The addition of CVE-2026-35616 to CISA's KEV Catalog is a clear signal that this Fortinet FortiClient EMS vulnerability is being actively weaponized. Waiting is not a viable strategy. Security teams should immediately assess their exposure, apply available patches, and verify that compensating controls are in place while remediation is underway.

CISA's KEV Catalog exists precisely to cut through the noise of thousands of published CVEs each year and identify the vulnerabilities that demand immediate action. When a vulnerability makes that list, the clock is already running. Make sure your organization is on the right side of it.