# CISA Orders Federal Agencies to Patch Actively Exploited FortiClient EMS Vulnerability  **CISA** has issued an urgent directive for federal agencies to patch their **FortiClient Enterprise Management Server (EMS)** instances by Friday to address **CVE-2026-35616**, a vulnerability actively exploited in the wild. ## Vulnerability Details Discovered by **Defused**, this security flaw is a pre-authentication API access bypass. It allows attackers to completely circumvent authentication and authorization mechanisms, potentially leading to unauthorized access and control over affected systems. **Fortinet** released emergency hotfixes to address the vulnerability, explaining that it stems from an improper access control weakness. Unauthenticated attackers can exploit this to execute arbitrary code or commands by sending specially crafted requests. ## Active Exploitation and Mitigation **Fortinet** has confirmed that threat actors are actively exploiting this vulnerability in zero-day attacks. IT administrators are strongly advised to immediately apply the provided hotfixes or upgrade to **FortiClient EMS** version 7.4.7 when available. "**Fortinet** has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for **FortiClient EMS** 7.4.5 and 7.4.6," the company stated. ## Exposed Instances **Shadowserver**, an internet security watchdog group, currently tracks nearly 2,000 **FortiClient EMS** instances exposed online, with a significant number located in the United States and Europe. The exact number of patched or vulnerable configurations remains unknown.  *FortiClient EMS instances exposed online (Shadowserver)* ## CISA's Directive and Recommendations On Monday, **CISA** added **CVE-2026-35616** to its Known Exploited Vulnerabilities (KEV) Catalog and mandated that Federal Civilian Executive Branch (FCEB) agencies patch their **FortiClient EMS** instances by Thursday midnight, April 9, according to Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned. The agency recommends applying mitigations as per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing the product's use if mitigations are unavailable. While BOD 22-01 is specific to U.S. federal agencies, **CISA** strongly encourages all defenders, including those in the private sector, to prioritize patching **CVE-2026-35616** to secure their organizations' networks. ## Recurring Fortinet Vulnerabilities **Fortinet** previously patched another critical **FortiClient EMS** flaw (**CVE-2026-21643**) in February, which was also identified as being exploited in attacks. **Fortinet** vulnerabilities are frequently exploited in cyber espionage campaigns and ransomware attacks, often as zero-day bugs, to compromise corporate networks. Recently, **Fortinet** blocked **FortiCloud** SSO connections from devices running vulnerable firmware versions to mitigate **CVE-2026-24858** zero-day attacks.