Signal
Critical Fortinet FortiClient EMS vulnerability actively exploited, emergency patch released
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-04-07 09:26 UTCUpdated 2026-04-07 21:16 UTC
rss
cveexploitssecurity_toolingincident_responsesecurity_advisories
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A critical zero-day vulnerability (CVE-2026-35616) in Fortinet's FortiClient Endpoint Management Server (EMS) has been actively exploited since late March 2026. The flaw allows unauthenticated attackers to remotely execute arbitrary code on affected EMS versions 7.4.5 and 7.4.6, which manage endpoint security policies.
Entities
FortinetCybersecurity and Infrastructure Security AgencyCanadian Centre for Cyber SecurityCERT.BEFortiClient EMS
Score total
1.56
Momentum 24h
6
Posts
6
Origins
5
Source types
1
Duplicate ratio
0%
Why now
- Exploitation has been observed since late March 2026, indicating active threat actors targeting this flaw.
- CISA’s inclusion of the vulnerability in its Known Exploited Vulnerabilities catalog raises urgency for federal agencies.
- Fortinet’s emergency hotfix is a temporary mitigation until the full patch release, requiring prompt action by users.
Why it matters
- The vulnerability allows unauthenticated attackers to remotely execute code, risking full compromise of endpoint management.
- FortiClient EMS is widely used to manage and secure enterprise endpoints, so exploitation can have broad impact.
- Immediate patching is critical to prevent ongoing attacks and protect organizational networks.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- CVE-2026-35616 is a critical vulnerability in Fortinet FortiClient EMS allowing unauthenticated remote code execution.
- Fortinet released an emergency hotfix and plans a full patch in version 7.4.7 to address the vulnerability.
- CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog and ordered immediate remediation by April 9 for federal agencies.
How sources frame it
- CSO Online: neutral
- Canadian Centre For Cyber Security: neutral
- SC Media: neutral
This cluster consolidates multiple authoritative advisories and news reports on the actively exploited Fortinet FortiClient EMS zero-day CVE-2026-35616 and the emergency mitigation efforts.
All evidence
All evidence
Immediate remediation of Fortinet FortiClient EMS bug ordered by CISA
SC Media · scworld.com · 2026-04-07 21:16 UTC
Fortinet releases emergency hotfix for FortiClient EMS zero-day flaw
CSO Online · csoonline.com · 2026-04-07 20:37 UTC
AL26-007 - Vulnerability impacting Fortinet FortiClientEMS - CVE-2026-35616
Canadian Centre for Cyber Security - Alerts · cyber.gc.ca · 2026-04-07 18:07 UTC
Warning: Critical CVE-2026-35616 is actively exploited, allowing attackers to gain unauthorized access and potentially achieve remote code execution, Patch Immediately!
CERT.BE (BE) - Advisories · ccb.belgium.be · 2026-04-07 15:09 UTC
Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited
Infosecurity Magazine · infosecurity-magazine.com · 2026-04-07 09:26 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- SC Media (1)
- CSO Online (1)
- Canadian Centre for Cyber Security - Alerts (1)
- CERT.BE (BE) - Advisories (1)
- Infosecurity Magazine (1)
Top origin domains (this list)
- scworld.com (1)
- csoonline.com (1)
- cyber.gc.ca (1)
- ccb.belgium.be (1)
- infosecurity-magazine.com (1)