CISA ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances by April 9 after Defused disclosed CVE-2026-35616, a pre-authentication API access bypass being actively exploited. Fortinet released emergency hotfixes for affected EMS versions and urged customers to apply fixes or upgrade while Shadowserver reports nearly 2,000 EMS instances exposed online. #CVE-2026-35616 #FortiClientEMS
Keypoints
- CISA mandated FCEB agencies patch FortiClient EMS by April 9 under BOD 22-01.
- Defused reported CVE-2026-35616 is a pre-auth API access bypass that can allow attackers to bypass authentication and authorization.
- Fortinet issued emergency hotfixes for EMS 7.4.5 and 7.4.6 and advised upgrading to 7.4.7 when available.
- Shadowserver tracks nearly 2,000 exposed FortiClient EMS instances, with over 1,400 IPs in the U.S. and Europe.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and urged all organizations to prioritize patching due to active exploitation.