CISA has added CVE‑2026‑35616, the Fortinet FortiClient EMS Improper Access Control Vulnerability, to its Known Exploited Vulnerabilities catalogue. The flaw affects Fortinet’s FortiClient Enterprise Management Server (EMS) and allows an unauthenticated attacker to run unauthorised code or commands by sending specially crafted requests.
The vulnerability is an improper access control issue that can be exploited over the network without authentication, leading to arbitrary code execution on the affected EMS server. It carries a CVSS v3.1 base score of 9.1, rated CRITICAL, and a patch is currently available from Fortinet. The attack vector is remote, and successful exploitation could give an attacker full control of the management server.
Because the entry appears in the KEV catalogue, active exploitation has been observed in the wild. No ransomware campaign has been publicly linked to this CVE at this time. CISA has set a remediation deadline of 26 April 2026 for Federal Civilian Executive Branch (FCEB) agencies to address the issue.
CISA requires FCEB agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations cannot be applied. All other organisations should review their exposure to FortiClient EMS and apply any available patches or mitigations as a precautionary measure.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-35616 and the CISA KEV catalogue.