CISA Orders Federal Agencies to Patch Actively Exploited FortiClient EMS Vulnerability (CVE‑2026‑35616) by Friday
What Happened – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive requiring all Federal Civilian Executive Branch agencies to apply emergency hot‑fixes for Fortinet FortiClient Enterprise Management Server (EMS) CVE‑2026‑35616 by 00:00 UTC April 9, 2026. The flaw is a pre‑authentication API access bypass that lets unauthenticated attackers execute arbitrary commands. Fortinet confirmed the vulnerability is being exploited in the wild as a zero‑day.
Why It Matters for TPRM –
- An actively exploited, pre‑auth bypass can give threat actors footholds in any network that runs FortiClient EMS.
- Federal‑level directive signals high confidence that the flaw poses systemic risk to any organization relying on the same product.
- Failure to patch may lead to credential theft, lateral movement, or ransomware deployment across supply‑chain partners.
Who Is Affected – Government agencies, contractors, and any private‑sector entities that have deployed FortiClient EMS (endpoint security/management).
Recommended Actions –
- Verify all FortiClient EMS instances are running version 7.4.7 or later, or apply the emergency hot‑fix for 7.4.5/7.4.6.
- Conduct an inventory of exposed EMS endpoints; block internet‑facing EMS ports where possible.
- Review BOD 22‑01 guidance for cloud services and ensure any third‑party MSPs managing Fortinet devices are compliant.
Technical Notes – The vulnerability (CVE‑2026‑35616) is a pre‑authentication API access bypass caused by improper access‑control checks. Exploitation allows unauthenticated command execution via crafted HTTP requests. Fortinet released hot‑fixes for EMS 7.4.5/7.4.6 and a full upgrade to 7.4.7. Shadowserver reports ~2,000 EMS instances exposed globally, with >1,400 in the U.S. and Europe. Source: BleepingComputer