U.S. CISA Adds a Flaw in Fortinet FortiClient EMS to Its Known Exploited Vulnerabilities Catalog

The addition of FortiClient EMS’s CVE-2026-35616 to CISA’s KEV catalog underscores the growing urgency around endpoint security. With a CVSS rating of 9.1, the improper access control flaw lets attackers bypass authentication and execute arbitrary commands, a classic privilege‑escalation scenario. By flagging the vulnerability as actively exploited, CISA compels both federal and private entities to prioritize remediation, aligning with the Binding Operational Directive 22-01 that mandates timely mitigation of known threats.

Fortinet’s rapid response—issuing out‑of‑band hotfixes for versions 7.4.5 and 7.4.6—demonstrates the vendor’s commitment to limiting exposure. The patches address the API authentication bypass, while a permanent fix is slated for the upcoming 7.4.7 release. Organizations should verify patch deployment across all managed endpoints and validate that version inventories are up to date, as legacy installations remain vulnerable to the same attack vector.

Security researchers at Defused have observed active exploitation in the wild, noting traffic anomalies such as the header `X-SSL-CLIENT-VERIFY: SUCCESS`. While no public proof‑of‑concept exists, the observed exploit pattern mirrors known zero‑day techniques, prompting defenders to monitor network logs for suspicious SSL client verification headers. By integrating these detection cues into SIEM platforms and enforcing the CISA remediation deadline of April 9, 2026, enterprises can mitigate risk and maintain compliance with federal cybersecurity mandates.