Actively Exploited Fortinet FortiClient EMS ZeroDay (CVE202635616)

Threat Type: Actively Exploited ZeroDay
Affected Product: Fortinet FortiClient Enterprise Management Server (EMS)

Background:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch CVE‑2026‑35616, an actively exploited zero‑day vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), by April 9.

The flaw is a pre‑authentication API access bypass that allows an unauthenticated attacker to execute arbitrary code or commands on vulnerable EMS servers. Exploitation activity was observed as early as 31 March 2026, and Fortinet urges immediate application of hotfixes for affected versions

Fortinet has confirmed that the vulnerability is being exploited in the wild and released emergency hotfixes for affected versions. CISA’s emergency order reflects the severe risk this flaw poses to government and private networks alike.

Vulnerability Details

CVE ID: CVE202635616
Type: Improper Access Control / PreAuthentication API Access Bypass
Impact:
- Full authentication bypass
- Remote code or command execution
- Potential full EMS compromise
Affected Versions:
- FortiClient EMS 7.4.5 and 7.4.6 (hotfixes issued)
- Fix will be included in 7.4.7 when released
Exploitation Status: Confirmed active zeroday exploitation by threat actors prior to patch release.

Exploitation Activity

Fortinet confirmed attackers are exploiting the vulnerability in the wild, classifying it as a zero‑day. The exploitation involves unauthenticated actors sending crafted requests to bypass EMS API authorization entirely, gaining remote access and the ability to execute commands.

Shadowserver reports nearly 2,000 FortiClient EMS instances exposed online, with 1,400+ in the U.S. and Europe, highlighting the broad attack surface.

Threat Impact & Risk Assessment

Category	Assessment
Likelihood	High – confirmed active exploitation
Impact	Critical – full authentication bypass + RCE
Exposure	Significant – ~2,000 instances online, many unpatched
Overall Risk	Severe – immediate exploitation risk

CISA Directive and Deadlines

CISA has added CVE202635616 to the Known Exploited Vulnerabilities (KEV) Catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to patch by Thursday, April 9 (midnight) under Binding Operational Directive (BOD) 2201.

CISA warns that vulnerabilities of this type are frequent attack vectors and pose “significant risks” to federal enterprises. Although the directive applies only to federal agencies, CISA “strongly urges” all organizations—private sector included—to prioritize fast patching

Recommended Mitigations

Immediate Actions

Apply Fortinet emergency hotfixes for EMS versions 7.4.5 and 7.4.6.
Upgrade to EMS version 7.4.7 once it becomes available.
Disable exposed EMS interfaces from the public internet until patched.
Apply CISA BOD 2201 guidance for cloud services and associated assets.

If Mitigation Is Not Possible

CISA advises discontinuing use of the product if workable mitigations are unavailable

MDR Services

Incident Response Services

Gartner Recognised

Download our CyberFire MDR ebook

The hidden human costs of a cyber attack

The reality of ransomware in 2025: What you need to know

Your guide to 2026: Trends and Predictions

Cybersecurity testing services

What is PCI? Your most common questions answered

Weekly Threat roundups

The A-Z Glossary of cybersecurity terms

Read our latest blog

Integrity360 completes SOC 2 certification to strengthen global cyber defence ecosystem

Integrity360 expands into North America with Advantus360 Acquisition

Security First 2026

Actively Exploited Fortinet FortiClient EMS ZeroDay (CVE202635616)

Actively Exploited Fortinet FortiClient EMS ZeroDay (CVE202635616)

Download our 2026 cyber security trends and predictions guide now!

Sign-up to receive our latest threat advisories

Quick links

What we do

Locations