Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited

CVE-2026-35616 is a pre-authentication API access bypass vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) versions 7.4.5 through 7.4.6, carrying a CVSS score of 9.1. The flaw (CWE-284: Improper Access Control) allows unauthenticated remote attackers to bypass API authentication and authorization protections, enabling execution of unauthorized code or commands via specially crafted requests. Exploitation attempts were observed against honeypots as early as March 31, 2026, with active zero-day exploitation confirmed by Defused Cyber and WatchTowr. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by April 9, 2026. Fortinet released hotfixes for versions 7.4.5 and 7.4.6; a full patch is expected in version 7.4.7. This follows closely after another critical FortiClient EMS flaw (CVE-2026-21643) also came under active exploitation, suggesting persistent targeting of Fortinet products. Recommended mitigations: Apply Fortinet hotfixes immediately, restrict network access to FortiClient EMS management interfaces, monitor for anomalous API requests, and review CISA KEV guidance.