The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive this Monday requiring Federal Civilian Executive Branch (FCEB) agencies to patch the critical vulnerability CVE-2026-35616 in FortiClient Enterprise Management Server (EMS) by midnight on April 9. Discovered by the cybersecurity firm Defused, the flaw is a pre-authentication API bypass that allows unauthenticated attackers to execute code or commands via specially crafted requests.
Fortinet has released emergency patches and is urging customers to upgrade to version 7.4.7 immediately or apply patches for versions 7.4.5 and 7.4.6. According to data from Shadowserver, nearly 2,000 FortiClient EMS instances are currently exposed to the internet globally, with over 1,400 of those IP addresses located in the U.S. and Europe. CISA warned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
Beyond the U.S., the Cyber Security Agency of Singapore (CSA) has also issued an emergency alert regarding the vulnerability. Benjamin Harris, CEO of the cybersecurity firm watchTowr, stated that his company’s honeypots began detecting exploitation attempts targeting CVE-2026-35616 as early as March 31. He noted that attackers specifically exploited the reduced staffing levels during the Easter holiday to carry out their intrusions.
Escalating Zero-Day Threats
Harris added that this is the second FortiClient EMS vulnerability disclosed within three weeks. He believes the timing of the zero-day exploitation is no coincidence: "Attackers have repeatedly proven that holidays are prime time for them to strike. With security teams operating at half-strength and on-call engineers distracted, the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents an opportunity."
In an official statement, Fortinet noted: "Fortinet has observed this vulnerability being exploited in the wild and urges vulnerable customers to apply the patches." The company has been highly active in addressing security threats recently; it previously blocked FortiCloud SSO connections for devices running vulnerable firmware versions in response to the CVE-2026-24858 vulnerability. CISA emphasized that while the directive is aimed at U.S. federal agencies, all private-sector defenders should prioritize patching this vulnerability and audit all internet-facing Fortinet products for signs of potential compromise.
