Organizations running Fortinet FortiClient EMS are facing an urgent security crisis as a critical zero-day vulnerability — tracked as CVE-2026-35616 with a CVSS score of 9.8 — is being actively exploited in the wild. Complicating the situation further, Fortinet has thus far released only an emergency hotfix rather than a comprehensive patch, leaving the full remediation pathway incomplete.
CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 7, 2026, establishing a mandatory remediation deadline for federal civilian agencies and sending a clear signal to all organizations: apply the available hotfix immediately.
The Vulnerability: CVE-2026-35616
CVE-2026-35616 is a critical security flaw in Fortinet FortiClient EMS (Enterprise Management Server), the centralized management platform used by enterprises to deploy, manage, and monitor FortiClient endpoint security agents across corporate environments.
The vulnerability carries a CVSS score of 9.8 — classified as Critical — reflecting its potential for unauthenticated exploitation leading to remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the FortiClient EMS server, potentially gaining control over endpoint management infrastructure and the ability to push malicious configurations or software to managed endpoints at scale.
Shadowserver's internet scanning assessed approximately 2,000 publicly exposed FortiClient EMS instances as of April 5, 2026 — all of which represent potential targets in the active exploitation campaign.
Exploitation Timeline
The exploitation timeline reveals a rapidly evolving threat:
- March 31, 2026 — First observed exploitation attempts, characterized by limited activity apparently designed to avoid detection
- April 6, 2026 — Fortinet publicly disclosed the hotfix; exploitation activity escalated significantly on the same day, consistent with threat actors intensifying attacks following public awareness
- April 7, 2026 — CISA adds CVE-2026-35616 to KEV catalog
Security researchers noted the timing was troubling: disclosure of a hotfix — but not a full patch — appears to have accelerated attacker interest rather than reducing risk.
Related Vulnerability: CVE-2026-21643
A related vulnerability, CVE-2026-21643, was disclosed in February 2026. This unauthenticated remote code execution flaw shares technical similarities with CVE-2026-35616 and is also being actively exploited in separate attack campaigns. No confirmed link has been established between the operators behind the two campaigns, but security researchers tracking both note that Fortinet products have attracted sustained adversarial attention throughout early 2026.
Expert Commentary
Security practitioners were direct in their assessment of the risk.
Benjamin Harris, CEO of watchTowr, stated: "Exploitation has ramped up, indicating growing attacker interest and likely broader targeting. The best time to apply the hotfix was yesterday. The second-best time is right now."
Caitlin Condon of VulnCheck added broader context: "Fortinet solutions are popular targets for threat actors generally, so exploitation isn't necessarily surprising. What matters now is speed — organizations with exposed FortiClient EMS servers need to act before attackers expand their targeting."
What Organizations Should Do
Immediate actions:
- Apply the Fortinet hotfix immediately — available via Fortinet's support portal for affected FortiClient EMS versions
- Audit FortiClient EMS exposure — verify whether your instance is internet-accessible and restrict access to VPN or trusted IP ranges only
- Review logs for exploitation indicators — look for anomalous authentication attempts, unexpected administrative actions, or unusual outbound connections from the EMS server
- Monitor Fortinet's security advisory for the release of a comprehensive patch and plan expedited deployment
For federal agencies: CISA's KEV listing establishes a mandatory remediation deadline — compliance is not optional.
The Broader Fortinet Pattern
The exploitation of FortiClient EMS continues a troubling pattern in which Fortinet products have been a sustained target for ransomware operators, nation-state actors, and financially motivated attackers throughout 2025 and 2026. Previous campaigns targeted FortiGate SSL-VPN appliances, FortiOS, and FortiProxy — demonstrating that adversaries view the Fortinet product surface as a reliable initial access vector into enterprise environments.
Organizations relying on Fortinet's portfolio should ensure vulnerability patching and monitoring are treated as continuous operational priorities rather than periodic maintenance tasks.
Sources: CyberScoop, CISA KEV Catalog, Fortinet Security Advisory, watchTowr, VulnCheck, Shadowserver Foundation