U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

AndyC 8 April 2026

U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
April 07, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Fortinet released out-of-band patches for a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS 9.1), which is already being exploited in attacks in the wild. The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

Fortinet acknowledged Simo Kohonen from Defused and Nguyen Duc Anh for responsibly disclosing this vulnerability after observing active zero-day exploitation of the issue.

A few hours ago, Defused researchers warned that attackers are exploiting the FortiClient zero-day. No public POC exists yet; however, this exploit has roughly the same structure as the observed zero-day exploit. Experts recommend watching for traffic from unknown IPs showing X-SSL-CLIENT-VERIFY: SUCCESS.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , , ,

What do you feel about this?

More Stories

Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

AndyC 8 April 2026
GPUBreach exploit uses GPU memory bit-flips to achieve full system takeover

GPUBreach exploit uses GPU memory bit-flips to achieve full system takeover

AndyC 8 April 2026
Life imprisonment for Cambodian scam compound operators – but will it make a difference?

Experts published unpatched Windows zero-day BlueHammer

AndyC 8 April 2026
Weekly Update 498

Weekly Update 498

AndyC 7 April 2026
Phishing LNK files and GitHub C2 power new DPRK cyber attacks

Phishing LNK files and GitHub C2 power new DPRK cyber attacks

AndyC 7 April 2026
MITRE ATT&CK v19 Drops April 28: How to Prepare Your SOC for the Defense Evasion Split

BKA unmasks two REvil Ransomware operators behind 130+ German attacks

AndyC 7 April 2026

You may have missed

The Complete Guide to Passwordless Authentication in 2026: How It Works, Why It Matters, and How to Implement It

The Complete Guide to Passwordless Authentication in 2026: How It Works, Why It Matters, and How to Implement It

AndyC 8 April 2026
Legacy Systems are Undermining Financial Institution Cybersecurity

[un]prompted 2026 – Developing & Deploying AI Fingerprints For Advanced Threat Detection

AndyC 8 April 2026
AI, DevSecOps, and the Future of Application Security: The Gartner® Report

AI, DevSecOps, and the Future of Application Security: The Gartner® Report

AndyC 8 April 2026
OpenAI calls for a four-day workweek — and a ‘robot tax’

Best Sentry Alternatives for Error Tracking and Monitoring (2026)

AndyC 8 April 2026
Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

Fast-moving Storm-1175 uses new exploits to breach networks and drop Medusa

AndyC 8 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.