Fortinet FortiClient EMS CVE-2026-35616 Added to CISA KEV — Active Exploitation Confirmed

CVE-2026-35616 is a vulnerability in Fortinet FortiClient EMS (Endpoint Management Server) that has been confirmed as actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities catalog on April 6, 2026. FortiClient EMS is a centralized management platform used by enterprises to manage FortiClient endpoint security software, including VPN configurations, compliance policies, and security profiles. Exploitation of this vulnerability could allow attackers to compromise the EMS server, potentially gaining access to endpoint configurations, VPN credentials, and the ability to push malicious configurations to managed endpoints. Given FortiClient EMS's role in managing enterprise VPN access, successful exploitation could provide attackers with a foothold into corporate networks. Mitigations: Apply Fortinet's security patches for FortiClient EMS immediately. Review FortiClient EMS access logs for signs of unauthorized access. Ensure FortiClient EMS is not directly exposed to the internet. Implement network segmentation to limit the blast radius of a potential compromise. Monitor for unusual configuration changes pushed to managed endpoints.