CISA Alerts on Active Exploitation of Fortinet 0-Day Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised alarm over a critical vulnerability known as CVE-2026-35616 in Fortinet’s FortiClient Enterprise Management Server (EMS). This flaw, categorized under improper access control, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026. Federal agencies must address this issue by April 9, 2026.
Critical Details of the Vulnerability
CVE-2026-35616 is a significant flaw with a Common Vulnerability Scoring System (CVSS) score of 9.1. It affects FortiClient EMS versions 7.4.5 and 7.4.6, while the 7.2 version remains safe from this issue. The vulnerability facilitates a pre-authentication API access bypass, enabling privilege escalation without valid credentials.
- Severity: Critical (CVSS: 9.1)
- Exploitable Versions: FortiClient EMS 7.4.5, 7.4.6
- Unaffected Version: FortiClient EMS 7.2
How the Vulnerability Works
This vulnerability permits unauthorized attackers to bypass API authentication and execute malicious code. Attackers exploit this through specially crafted HTTP requests, enabling remote code execution (RCE) against exposed EMS instances.
Active exploitation of this zero-day vulnerability was first recorded on March 31, 2026, when watchTowr detected attempts against its honeypots. Security researchers Simo Kohonen from Defused Cyber and Nguyen Duc Anh discovered this flaw and responsibly reported it.
Fortinet’s Response and Recommendations
In response, Fortinet issued an emergency advisory urging users to apply the available hotfix for affected FortiClient EMS versions. The company emphasized the need for immediate action due to confirmed exploitation in the wild.
Consequences of Exploitation
Successful exploitation of CVE-2026-35616 can lead to:
- Bypassing API authentication and authorization controls.
- Executing unauthorized remote code or commands.
- Gaining an initial foothold in the target network.
- Escalating privileges within the EMS environment.
The EMS telemetry endpoint, which often requires internet access, expands the attack surface significantly. The urgency of CISA’s directive under Binding Operational Directive (BOD) 22-01 mandates that all U.S. federal agencies implement mitigations by the specified date.
Global Impact and Warnings
According to the Shadowserver Foundation, there are over 2,000 publicly accessible FortiClient EMS instances worldwide. Out of these, two have been confirmed as actively exploited due to a lack of protection against this critical RCE vulnerability.
Administrators are strongly advised to prioritize remediation efforts to safeguard their systems against potential threats.
Stay informed on the latest cybersecurity developments by following El-Balad for daily updates.
