CISA Mandates Federal Agencies Fix Fortinet EMS Exploit by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to address a critical vulnerability in FortiClient Enterprise Management Server (EMS). This directive, aimed at enhancing cybersecurity, requires action by Friday.

CISA Orders Action on CVE-2026-35616

The vulnerability is tracked as CVE-2026-35616. Discovered by cybersecurity firm Defused, it allows unauthorized access to the EMS through a pre-authentication API bypass. This means that attackers could exploit this flaw to bypass security controls, putting sensitive information at risk.

Emergency Hotfixes and Patching Guidance

In response to these vulnerabilities, Fortinet announced emergency hotfixes over the weekend. The company stressed that the flaw arises from improper access controls which could enable unauthenticated attackers to execute arbitrary code.

• Hotfixes are available for FortiClient EMS 7.4.5 and 7.4.6.
• Users are encouraged to upgrade to version 7.4.7 when it becomes available.

Fortinet has reported that threat actors have actively exploited this vulnerability in recent zero-day attacks. Administrators are urged to secure their EMS instances promptly. CISA has included CVE-2026-35616 in its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgency of addressing this issue.

Scope of the Vulnerability

According to the security watchdog group Shadowserver, nearly 2,000 FortiClient EMS instances are currently exposed online. Over 1,400 of these are located in the United States and Europe. However, details on how many of these have been patched remain unclear.

Guidance for Federal and Private Sectors

CISA’s Binding Operational Directive (BOD) 22-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies must patch their systems by midnight on April 9. CISA warns that vulnerabilities such as these frequently serve as attack vectors for malicious cyber actors.

• Methods to mitigate the risk include:
• Applying vendor instructions for security measures.
• Following BOD 22-01 guidance for cloud services.
• Discontinuing product usage if mitigations are unavailable.

Although BOD 22-01 specifically applies to federal agencies, CISA strongly encourages all organizations, including those in the private sector, to prioritize the patching of CVE-2026-35616.

Recent Vulnerability Trends

Earlier this year, Fortinet addressed another critical vulnerability in FortiClient EMS, designated CVE-2026-21643. This flaw was similarly flagged for its exploitation in attacks. Fortinet vulnerabilities have frequently been leveraged in cyber espionage campaigns and ransomware attacks.

In summary, prompt action is critical. Both federal and private entities must take immediate steps to secure their networks against this identified vulnerability to mitigate potential risks.