Fortinet shipped an emergency patch on April 5 for CVE-2026-35616, an unauthenticated API access bypass in FortiClient Enterprise Management Server (EMS). The vulnerability carries a CVSS score of 9.1 and was already under active exploitation — honeypot data from watchTowr placed the first attempts on March 31, days before the advisory shipped. By April 6 CISA had added the bug to its Known Exploited Vulnerabilities catalog with a federal patch deadline of April 9.
A management plane, not an endpoint
Where the bug lives matters more than the CVSS number. FortiClient EMS is the central console enterprises use to enroll endpoints, push VPN profiles, and administer endpoint protection policy across the fleet. Compromising the EMS does not just give an attacker code execution on one server — it gives them a trusted upstream that the agents on every managed laptop, workstation and remote-access user obey by design.
Exploitation requires no credentials. Per Fortinet’s advisory the flaw is an improper access control failure in the EMS API (CWE-284), so any attacker reachable to the management interface can bypass authentication and execute commands. Hotfixes ship for versions 7.4.5 and 7.4.6, with the rolled-up fix landing in 7.4.7. Operators on older trains should treat the rolled-up release as the safe target rather than chaining hotfixes.
”Holiday weekends are the best time to move”
The timeline is the second part of the story. Defused Cyber and watchTowr both flagged exploitation in the week of April 5, coinciding with a US holiday weekend. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength,” said Benjamin Harris, watchTowr’s CEO and founder. The pattern is now consistent enough across 2025 and early 2026 that scheduling a second on-call rotation around long weekends is a defensible standard, not a paranoid one.
Worth noting: this is the second serious pre-authentication vulnerability in FortiClient EMS within weeks. A pattern of repeated unauthenticated bypasses in the same management surface usually means the surface needs architectural attention, not just patches. Admin-only endpoints often grow accidental ingress paths over years of release pressure, and the management plane is exactly the kind of asset that should sit behind an additional layer of network or identity control.
What this means
For practitioners, three asks fall out of CVE-2026-35616.
First, EMS is not an endpoint. Inventory your management consoles separately from the agents they administer, and verify none of them are reachable from anywhere they don’t need to be — no public internet, no wide internal segments, no flat OT networks. A single trusted upstream is the highest-leverage attacker target on the network.
Second, treat Fortinet KEV listings as a same-day operation. CISA gave federal agencies three days; private operators should match that window. Threat actors moved before the patch shipped, which means a 30-day patch SLA is the wrong frame for any vendor with active exploitation in the wild.
Third, audit who is on call over the next long weekend. If the rotation drops from “primary plus secondary” to “primary only” between Friday and Tuesday, that gap is now a credible threat-actor calendar entry.
