Threat Advisories

Actively Exploited Fortinet FortiClient EMS ZeroDay (CVE202635616)

Written by The Integrity360 Team | Apr 10, 2026 7:42:54 AM

Threat Type: Actively Exploited ZeroDay
Affected Product: Fortinet FortiClient Enterprise Management Server (EMS)

Background:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch CVE202635616, an actively exploited zeroday vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), by April 9.

The flaw is a preauthentication API access bypass that allows an unauthenticated attacker to execute arbitrary code or commands on vulnerable EMS servers. Exploitation activity was observed as early as 31 March 2026, and Fortinet urges immediate application of hotfixes for affected versions

Fortinet has confirmed that the vulnerability is being exploited in the wild and released emergency hotfixes for affected versions. CISA’s emergency order reflects the severe risk this flaw poses to government and private networks alike.

Vulnerability Details

  • CVE ID: CVE202635616
  • Type: Improper Access Control / PreAuthentication API Access Bypass
  • Impact:
    • Full authentication bypass
    • Remote code or command execution
    • Potential full EMS compromise
  • Affected Versions:
    • FortiClient EMS 7.4.5 and 7.4.6 (hotfixes issued)
    • Fix will be included in 7.4.7 when released
  • Exploitation Status: Confirmed active zeroday exploitation by threat actors prior to patch release.

Exploitation Activity

Fortinet confirmed attackers are exploiting the vulnerability in the wild, classifying it as a zeroday. The exploitation involves unauthenticated actors sending crafted requests to bypass EMS API authorization entirely, gaining remote access and the ability to execute commands.

Shadowserver reports nearly 2,000 FortiClient EMS instances exposed online, with 1,400+ in the U.S. and Europe, highlighting the broad attack surface.

Threat Impact & Risk Assessment

Category

Assessment

Likelihood

High – confirmed active exploitation

Impact

Critical – full authentication bypass + RCE

Exposure

Significant – ~2,000 instances online, many unpatched

Overall Risk

Severe – immediate exploitation risk

CISA Directive and Deadlines

CISA has added CVE202635616 to the Known Exploited Vulnerabilities (KEV) Catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to patch by Thursday, April 9 (midnight) under Binding Operational Directive (BOD) 2201.

CISA warns that vulnerabilities of this type are frequent attack vectors and pose “significant risks” to federal enterprises. Although the directive applies only to federal agencies, CISA “strongly urges” all organizations—private sector included—to prioritize fast patching

Recommended Mitigations

Immediate Actions

  1. Apply Fortinet emergency hotfixes for EMS versions 7.4.5 and 7.4.6.
  2. Upgrade to EMS version 7.4.7 once it becomes available.
  3. Disable exposed EMS interfaces from the public internet until patched.
  4. Apply CISA BOD 2201 guidance for cloud services and associated assets.

If Mitigation Is Not Possible

CISA advises discontinuing use of the product if workable mitigations are unavailable

 

 
View full post