Immediate remediation of Fortinet FortiClient EMS bug ordered by CISA

BleepingComputer reports that the Cybersecurity and Infrastructure Security Agency has called on federal civilian executive agencies to remediate Fortinet FortiClient Enterprise Management Server instances affected by the actively exploited pre-authentication API access bypass zero-day, tracked as CVE-2026-35616, by midnight of Apr. 9, as it added the flaw to its Known Exploited Vulnerabilities catalog.

Such CISA order comes after Fortinet issued emergency hotfixes for the improper access control-related security issue, which could be harnessed by attackers using specially crafted requests for code or command execution.

"Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6," said Fortinet in an advisory accompanying the fixes.

Almost 2,000 internet-exposed FortiClient EMS instances are still at risk of being compromised in attacks involving the flaw, with most of the instances located in North America and Europe, according to The Shadowserver Foundation.