CISA Orders Feds to Patch FortiClient EMS Flaw by Thursday

CISA moved fast on this one. The agency added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog today, giving federal agencies until Thursday midnight to patch their FortiClient EMS deployments.

The three-day window is unusually aggressive. Federal Civilian Executive Branch agencies must comply under Binding Operational Directive 22-01—the standing order that mandates rapid remediation of actively exploited flaws. Most KEV additions come with two-week deadlines. This one doesn't.

We covered the vulnerability's disclosure on Saturday when Fortinet released emergency hotfixes. CISA's action today confirms what defenders already suspected: attackers are moving fast, and the flaw represents exactly the kind of perimeter access that sophisticated threat actors prize.

What Triggered the Rapid Response

CVE-2026-35616 hits three criteria that demand urgent federal attention:

1. No authentication required — Attackers don't need credentials to exploit it
2. Critical infrastructure impact — FortiClient EMS manages endpoint security across federal networks
3. Confirmed active exploitation — watchTowr observed attacks beginning March 31

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA stated in its advisory.

The directive applies only to federal agencies, but CISA urged all organizations—including private sector defenders—to prioritize patching. When the government's cybersecurity agency tells you to act fast, the subtext is clear: they're seeing things in classified briefings that haven't made the news yet.

The Exposure Problem

Nearly 2,000 FortiClient EMS instances remain accessible from the public internet, according to Shadowserver Foundation scans. Over 1,400 of those sit in the United States and Europe—regions where federal contractors and critical infrastructure operators are concentrated.

Enterprise endpoint management platforms shouldn't be internet-exposed. But FortiClient EMS often manages remote workers, distributed offices, and field operations that require external accessibility. Organizations that locked down access during the CVE-2026-21643 exploitation wave last month may have loosened restrictions after patching. Now they're vulnerable again.

The timing compounds the problem. Organizations that upgraded to FortiClient EMS 7.4.5 or 7.4.6 to fix the SQL injection vulnerability introduced this authentication bypass. Defenders who moved quickly became victims of the next flaw.

Technical Recap

For organizations still catching up: CVE-2026-35616 is an improper access control vulnerability (CWE-284) with a CVSS score of 9.1. It affects FortiClient EMS versions 7.4.5 and 7.4.6 only.

Successful exploitation allows unauthenticated attackers to:

• Bypass API authentication and authorization entirely
• Execute arbitrary code or commands on the server
• Access managed endpoint inventory and security configurations
• Potentially pivot to managed endpoints across the network

Simo Kohonen from Defused Cyber and researcher Nguyen Duc Anh discovered the flaw. Fortinet released hotfixes on Saturday, with a permanent fix expected in version 7.4.7.

Why Federal Deadlines Matter Beyond Government

When CISA imposes a three-day patch deadline on federal agencies, it sends a signal to the entire ecosystem. Government contractors, vendors with federal customers, and organizations in critical infrastructure sectors typically align their patch cycles with federal mandates.

The short timeline also suggests CISA has visibility into active campaigns. The agency monitors federal network traffic and receives intelligence sharing from partners. Aggressive deadlines correlate with elevated threat activity—even when specific details remain classified.

Fortinet products have appeared in CISA's KEV catalog repeatedly this year. The pattern reflects both the products' widespread deployment in government networks and their attractiveness to attackers seeking perimeter access to federal systems.

Immediate Actions

Organizations running FortiClient EMS should:

1. Apply hotfixes immediately — Patches exist for both 7.4.5 and 7.4.6
2. Restrict network access — Block internet exposure to the EMS administrative interface
3. Monitor for compromise — Review API logs for unauthorized authentication bypasses since March 31
4. Plan for 7.4.7 — The permanent fix ships soon; schedule the upgrade now

For organizations that can't patch immediately, isolating EMS from untrusted networks provides partial protection. But given confirmed exploitation, any delay carries substantial risk.

The April 9 deadline applies to federal agencies. Everyone else should treat it as a strong suggestion—CISA doesn't issue three-day mandates casually. Understanding how attackers exploit enterprise software vulnerabilities to breach organizations helps contextualize why agencies respond so urgently to flaws like this one.

What Comes Next

CISA's KEV catalog now contains multiple Fortinet entries from 2026 alone. Each addition increases pressure on the vendor to improve release quality and security testing. It also forces organizations to reevaluate their perimeter security stack.

Fortinet dominates the enterprise firewall and endpoint management market. That dominance means vulnerabilities affect enormous numbers of organizations simultaneously. When patches introduce new vulnerabilities—as happened here—the remediation cycle becomes exhausting for defenders.

The situation mirrors broader trends in enterprise security infrastructure: vendors shipping fast to maintain feature parity, security teams scrambling to keep pace, and attackers exploiting the gaps between disclosure and deployment. Three-day federal deadlines are a symptom of a system under strain.