What happened

CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-06, signaling in-the-wild exploitation of Fortinet FortiClient EMS CISA KEV. CISA’s entry describes an improper access control flaw that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests CISA KEV. The vulnerability is tracked as CVE-2026-35616 and is mapped to CWE-284 (Improper Access Control) NVD entry. CISA set a remediation due date of 2026-04-09 and directs organizations to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable CISA KEV.

Why it matters

A pre-auth path to code or command execution is a control-plane failure that collapses perimeter trust for any reachable FortiClient EMS instance NVD entry. KEV inclusion means exploitation is confirmed, not hypothetical; CISA only lists vulnerabilities with evidence of active abuse CISA KEV. Improper access control (CWE-284) frequently manifests as missing or broken authorization checks on sensitive endpoints—exactly the condition adversaries exploit with minimal noise and high reliability NVD entry. Federal agencies are mandated to remediate KEV items on deadline, and enterprises should treat the same timeline as table stakes for exposure reduction CISA KEV.

Technical detail

Per CISA, the flaw permits an unauthenticated attacker to run unauthorized code or commands by sending crafted requests to the service CISA KEV. That behavior aligns with CWE-284, where enforcement gaps allow access to privileged functionality without proper authorization checks NVD entry. The CVE record is assigned to Fortinet FortiClient EMS and confirms the vulnerability class but does not publish version granularity in the advisory metadata at this time MITRE CVE. In practice, access-control flaws of this type are typically triggered by hitting unauthenticated endpoints that should be gated, or by bypassing intended checks through parameter tampering or alternate routes, resulting in server-side execution with the service account’s privileges NVD entry.

The operational takeaway is simple: any network-reachable FortiClient EMS instance may be within blast radius until mitigations land, because the threat model requires only the ability to deliver crafted requests to the target CISA KEV. CISA’s KEV posture indicates observed exploitation, so defenders should assume real-world techniques already exist to trigger the vulnerable path CISA KEV.

Defense

Execute CISA’s required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2026-04-09 CISA KEV. CISA also advises checking for signs of potential compromise on all internet-accessible Fortinet products affected by this vulnerability CISA KEV. Treat all FortiClient EMS assets as high priority for containment until you confirm posture NVD entry.

Immediate actions:

• Reduce exposure: restrict external access to FortiClient EMS, place behind authenticated gateways, and enforce least privilege routing while mitigations are applied CISA KEV.
• Validate control-plane calls: monitor for unauthenticated requests invoking sensitive actions or yielding server-side execution patterns consistent with CWE-284 abuse NVD entry.
• Hunt for compromise: review recent activity for anomalous process launches, unexpected command invocations from the EMS service context, and unexplained configuration changes around the date CISA added the CVE to KEV (2026-04-06) CISA KEV.
• Remediate on deadline: treat the KEV due date (2026-04-09) as a non-negotiable SLA; document exceptions and isolate stragglers CISA KEV.

When vendor patches or mitigations are available, apply them immediately, and revalidate by attempting the suspected pre-auth paths to confirm denial of unauthorized actions MITRE CVE. Maintain continuous monitoring; KEV items often see exploit commoditization once public attention spikes CISA KEV.

Lyrie Verdict

This is a textbook pre-auth control-plane failure that lends itself to automated adversary testing and rapid replication once a working request sequence exists NVD entry. Lyrie treats KEV-listed, unauthenticated execution paths as critical signals and auto-prioritizes assets where crafted requests can reach the vulnerable surface CISA KEV. Our anti-rogue-AI defense stack correlates inbound unauthenticated request patterns with server-side execution telemetry to flag code/command execution without prior auth in near real time, closing the window between first touch and containment NVD entry. We push machine-speed controls: block the offending sequence, isolate the EMS host if execution is observed, and continuously verify post-mitigation that unauthorized requests no longer trigger privileged actions CISA KEV.