Overview
- Directives now require federal agencies to remediate CVE-2026-35616 under CISA’s Known Exploited Vulnerabilities policy, with a deadline set for April 9.
- Fortinet released emergency hotfixes on Saturday for FortiClient EMS versions 7.4.5 and 7.4.6, saying a full fix will land in 7.4.7 and that the 7.2 branch is not affected.
- CVE-2026-35616 is an improper access control bug that lets an attacker bypass API authentication and authorization to execute code or commands without credentials, rated CVSS 9.1.
- Defused discovered the issue and reported seeing it exploited as a zero-day before disclosure, and Fortinet confirmed active in-the-wild attacks and urged immediate patching.
- Shadowserver counts roughly 2,000 FortiClient EMS systems exposed to the internet, increasing the chance of compromise as this follows another exploited EMS flaw reported in recent weeks.