Zero-Day Security Alert — April 6, 2026: Fortinet FortiClient EMS Actively Exploited
- Jacob Hughes
- Apr 6
- 1 min read
CVE-2026-35616 is a critical (CVSS 9.8) improper access control vulnerability in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6 that is actively being exploited in the wild. Organizations running affected versions should apply Fortinet's patch immediately -- CISA requires federal agencies to remediate by April 9, 2026.
Daily Security Briefing
April 6, 2026
CVE-2026-35616 | CVSS 9.8 | CRITICAL Severity | Actively Exploited (CISA KEV)
Affected Product
Fortinet FortiClient EMS versions 7.4.5 through 7.4.6
Description
An improper access control vulnerability in Fortinet FortiClient EMS allows an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests. FortiClient EMS is a centralized endpoint management server used by organizations to deploy, configure, and monitor FortiClient agents across their network. Successful exploitation grants remote code execution without authentication, potentially giving attackers full control of the management server and, by extension, visibility into or control over managed endpoints.
Attack Vector
Network-based attack with low complexity. No privileges or user interaction are required. An unauthenticated remote attacker can send crafted requests to the FortiClient EMS server to achieve code execution. Organizations exposing FortiClient EMS to the internet or to untrusted network segments are at highest risk.
Remediation
Apply mitigations per Fortinet advisory FG-IR-26-099. Upgrade FortiClient EMS to a patched version as specified in the advisory. If patching is not immediately possible, restrict network access to the FortiClient EMS management interface to trusted internal networks only and monitor for indicators of compromise. Follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Remediation Due Date: April 9, 2026
This report is generated automatically from NVD and CISA KEV data.
Comments