Active Exploitation of Fortinet FortiClient EMS Improper Access Control (CVE‑2026‑35616) Added to CISA KEV Catalog

Active Exploitation of Fortinet FortiClient EMS Improper Access Control (CVE‑2026‑35616) Added to CISA KEV Catalog

What It Is — Fortinet FortiClient Endpoint Management Server (EMS) contains an improper access‑control vulnerability (CVE‑2026‑35616) that lets unauthenticated actors bypass security checks and obtain administrative privileges on the EMS console.

Exploitability — CISA has verified active exploitation in the wild; a proof‑of‑concept is publicly known and the CVSS v3.1 base score is 8.2 (High).

Affected Products — Fortinet FortiClient EMS (all versions prior to the vendor‑released patch; see Fortinet advisory for exact version range).

TPRM Impact — The vulnerability enables threat actors to compromise a vendor’s endpoint‑management platform, potentially exposing every client organization that relies on FortiClient EMS for device control, policy enforcement, and telemetry. This creates a supply‑chain risk that can cascade to multiple industries.

Recommended Actions —

• Inventory all third‑party contracts that include FortiClient EMS and confirm version usage.
• Deploy Fortinet’s remediation patch immediately; if patching cannot be done, enforce strict network segmentation and limit EMS access to vetted IP ranges.
• Prioritize remediation of this KEV entry in accordance with CISA BOD 22‑01 and update vulnerability‑management playbooks.
• Run post‑patch validation scans and continuously monitor EMS logs for suspicious activity.

Source: CISA Advisory – CVE‑2026‑35616