Fortinet FortiClient EMS Improper Access Control Vulnerability Added to KEV Catalog

CISA ICS-CERT Advisories

Published April 6th, 2026

Detected April 6th, 2026

Summary

CISA added CVE-2026-35616 (Fortinet FortiClient EMS Improper Access Control) to the Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The vulnerability poses significant risk as a frequent attack vector for malicious cyber actors. FCEB agencies face binding remediation requirements under BOD 22-01, while CISA urges all organizations to prioritize timely remediation as part of their vulnerability management practice.

View original document View source feed page

What changed

CISA has added CVE-2026-35616, a Fortinet FortiClient EMS Improper Access Control vulnerability, to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. This vulnerability represents a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. The addition triggers binding remediation obligations for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01, which established the KEV Catalog as a living list of known CVEs carrying significant risk to the federal enterprise.

FCEB agencies must remediate CVE-2026-35616 by the due date specified under BOD 22-01 to protect FCEB networks against active threats. Although BOD 22-01 formally applies only to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of this KEV Catalog vulnerability as part of their vulnerability management practice. Organizations running Fortinet FortiClient EMS should treat this alert as a priority and immediately assess and patch affected systems.

What to do next

FCEB agencies: remediate CVE-2026-35616 per BOD 22-01 timelines
All organizations using Fortinet FortiClient EMS: prioritize patching this vulnerability immediately
Incorporate CVE-2026-35616 into vulnerability management prioritization

Source document (simplified)

Alert

CISA Adds One Known Exploited Vulnerability to Catalog

Release Date

April 06, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.