Breach Autopsy: CISA KEV Adds CVE-2026-35616 in Fortinet FortiClient EMS

On April 6, 2026, CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of April 9, 2026. The flaw affects Fortinet FortiClient EMS and can allow unauthenticated code or command execution through crafted requests.

Why this matters now

• KEV inclusion means exploitation is no longer theoretical; it is active enough to require urgent federal action.
• The exposure is in endpoint management infrastructure, which often has broad administrative reach.
• Fast patching is required: CISA's short due date signals high operational risk.

What operators should do in the next 24 hours

1. Identify all internet-reachable FortiClient EMS instances and isolate management interfaces from public access.
2. Apply Fortinet hotfixes immediately for 7.4.5 and 7.4.6, then move to 7.4.7+ when available.
3. Hunt for suspicious API calls and unexpected command execution patterns on EMS hosts.
4. Reset credentials and rotate secrets tied to impacted management systems after containment.
5. Document remediation status and exceptions before the April 9, 2026 KEV deadline window.

Affected scope (as currently disclosed)

• Product: Fortinet FortiClient EMS
• Affected versions: 7.4.5 through 7.4.6
• Fixed path: vendor hotfixes now; 7.4.7+ when released

Sources

• CISA KEV JSON feed (entry added April 6, 2026)
• CVE record (CVE-2026-35616)
• Tenable analysis and version guidance
• Fortinet advisory reference (linked by CVE/Tenable)