CVE-2026-35616: The Fortinet FortiClient EMS Zero-Day That CISA Just Added to Its Most-Wanted List

On April 6, 2026, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog, confirming what threat hunters had already seen on honeypots since March 31: attackers are actively weaponizing a critical pre-authentication flaw in Fortinet FortiClient EMS. With a CVSS score of 9.1 and no credential requirement to trigger it, this is not a vulnerability you schedule for next sprint — it is a fire drill happening right now.

What Is CVE-2026-35616 and Why Does It Matter?

FortiClient EMS (Endpoint Management Server) is the central nerve of Fortinet's endpoint security infrastructure. It manages FortiClient agents deployed across thousands of workstations, enforces Zero Trust Network Access (ZTNA) policies, and pushes configuration to every endpoint in your environment. CVE-2026-35616 is an improper access control flaw in the server's API layer — specifically, a pre-authentication bypass that allows an unauthenticated remote attacker to send crafted API requests, sidestep authorization checks entirely, and escalate to administrative-level code execution. No username. No password. No phishing email required.

Affected versions are FortiClient EMS 7.4.5 and 7.4.6. Fortinet confirmed exploitation in the wild and has released an emergency hotfix. A full patch is slated for version 7.4.7, but organizations cannot wait for a full release cycle. The hotfix must be applied immediately.

Watchtowr's honeypot telemetry recorded the first exploitation attempts on March 31, 2026 — five days before CISA's official KEV listing. This gap between first-seen-in-the-wild and public disclosure is precisely the window threat actors exploit to maximize damage before defenders react.

The Attack Surface Inside Saudi Financial Institutions

Fortinet is one of the most widely deployed security vendors across the Gulf Cooperation Council, particularly within the Saudi banking and insurance sectors. FortiClient EMS instances frequently serve as the backbone of endpoint compliance enforcement for remote access policies mandated under SAMA's Cyber Security Framework (CSCC) and NCA's Essential Cybersecurity Controls (ECC-2:2024). Many organizations deploy their EMS management console in a DMZ or semi-exposed segment to enable remote worker connectivity — a configuration that places the vulnerable service within reach of internet-facing threat actors.

A successful exploitation of CVE-2026-35616 in a financial institution's environment could give an attacker authenticated API access to the EMS console, from which they can alter endpoint security policies, disable FortiClient agents on critical hosts, pivot laterally using stolen endpoint certificates, and plant persistence mechanisms across the managed fleet — all before a single SIEM alert fires. Given that Saudi banks run continuous transaction processing with extremely low tolerance for downtime, this attack path maps directly to a Tier-1 operational risk event under SAMA CSCC Domain 4 (Cybersecurity Operations) and NCA ECC-2:2024 controls 2-5-2 and 3-3-1.

Understanding the Exploitation Chain

The vulnerability chain works as follows: an attacker with network access to the FortiClient EMS API endpoint submits a crafted HTTP request that omits required authentication tokens in a way the server's access-control logic fails to validate correctly. The server treats the request as internally authorized, granting the attacker API session rights equivalent to an administrator. From there, the attacker can enumerate all registered endpoints, modify compliance posture rules, extract client certificate material, or inject malicious FortiClient configuration updates that will be silently pushed to every managed device on the next sync cycle. The blast radius is not one workstation — it is every workstation managed by that EMS instance.

Security researchers at watchTowr have noted that the flaw's pre-authentication nature makes it trivially scriptable and highly suitable for mass exploitation campaigns. Threat groups known for targeting financial institutions, including those affiliated with TEMP.Veles and FIN7 successor clusters, have historically moved within hours of Fortinet KEV listings becoming public.

Regulatory Implications for SAMA-Regulated Institutions

From a compliance standpoint, leaving CVE-2026-35616 unpatched creates an immediate gap against multiple frameworks. SAMA CSCC Domain 4.3 requires that security patches for critical vulnerabilities be applied within a defined SLA — most institutions set 15 days for critical findings, but CISA's April 9, 2026 federal remediation deadline underscores the urgency that industry best practice should match. NCA ECC-2:2024 Control 3-1 mandates that asset inventories be accurate and that vulnerability management processes are operating effectively; an unpatched EMS instance managing thousands of endpoints represents a systemic gap in that control. Additionally, PDPL obligations around data integrity and access control are directly implicated: an attacker who leverages this flaw to push rogue endpoint configurations could facilitate unauthorized access to personal data processed across managed workstations, triggering notification obligations under the Personal Data Protection Law.

Recommended Actions — Prioritized by Time Sensitivity

1. Apply the emergency hotfix immediately. Fortinet has released hotfixes for FortiClient EMS 7.4.5 and 7.4.6. Do not wait for the 7.4.7 general release. Download from the Fortinet Support Portal and apply to all EMS instances within 24 hours.
2. Audit network exposure of EMS management interfaces. If your EMS API port (default TCP 443 or 8013) is reachable from the internet or from untrusted DMZ segments, implement firewall ACLs to restrict access to known management IP ranges as an immediate compensating control while the hotfix is staged.
3. Review EMS audit logs for anomalous API calls from March 31 onward. Look specifically for unauthenticated API requests, unexpected admin session creations, and policy modification events from unfamiliar source IPs. Export and preserve logs before they rotate.
4. Validate endpoint policy integrity across managed devices. Confirm that FortiClient configurations pushed to endpoints match your approved baseline. Any drift may indicate that an attacker already tampered with EMS policies before the hotfix was applied.
5. Report to your security steering committee under SAMA CSCC incident escalation procedures. Even if exploitation is not confirmed, the KEV listing and active threat landscape justify a Tier-2 incident notification to ensure executive awareness and resource authorization for emergency response activities.
6. Engage your threat intelligence feed. Indicators of compromise (IOCs) associated with exploitation of CVE-2026-35616 are available through CISA's KEV advisory, Tenable Security Center, and the watchTowr public report. Ingest these into your SIEM and EDR immediately.

Conclusion

CVE-2026-35616 is the kind of vulnerability that separates mature security operations from organizations still running vulnerability management as a quarterly paperwork exercise. It is unauthenticated, it is remotely exploitable, it was added to CISA's KEV catalog within a week of first exploitation being observed, and it sits at the center of the endpoint security architecture that Saudi financial institutions rely on for regulatory compliance. The window between "patch available" and "exploited at scale" is measured in days, not weeks. Fortinet has done its part by releasing the hotfix. The remaining responsibility lies with every CISO and IT security team managing an affected EMS instance.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and emergency vulnerability triage for your Fortinet infrastructure.