CISA Alert: Fortinet FortiClient EMS Flaw Actively Exploited

Severity: CRITICAL - Active Exploitation Confirmed

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | CVE: CVE-2026-35616 | Published: April 6, 2026

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Fortinet FortiClient EMS (Endpoint Management Server) and is classified as an Improper Access Control flaw.

This is not a theoretical risk. CISA's KEV listing means there is confirmed, real-world evidence of active exploitation by malicious actors right now. FortiClient EMS is widely deployed across enterprise environments as a centralized endpoint security management platform, making it a high-value target. An attacker who successfully exploits this vulnerability can bypass access controls, potentially gaining unauthorized access to managed endpoints across an entire organization's network.

Fortinet products are among the most widely deployed network security tools in East Africa, used by commercial banks, government ministries, telecoms, and energy operators in Kenya, Ethiopia, Somalia, and across the Horn of Africa.

Impact Assessment for East African Organizations

For organizations in the region, this vulnerability carries outsized risk because of how centrally FortiClient EMS sits within an enterprise security stack. If EMS is compromised, an attacker does not breach one endpoint - they gain visibility and control over every managed device connected to that server.

Banking and Financial Services: Kenyan commercial banks and microfinance institutions regulated under CBK guidelines rely heavily on endpoint management solutions to enforce compliance and data security. A compromised EMS server could expose customer data, facilitate fraudulent transactions, and trigger violations under the Kenya Data Protection Act 2019 and PCI-DSS requirements.

Government Agencies: Ministries and parastatals in Kenya, Ethiopia, and Somalia using FortiClient EMS to manage staff devices face the risk of full network takeover. This is particularly acute for agencies handling citizen data, revenue collection, or national security functions.

Power and Energy Sector: Critical infrastructure operators, including utilities in Kenya and Ethiopia, who use Fortinet solutions for OT/IT network segmentation face operational disruption risk. A successful breach at the endpoint management layer could provide a pivot point toward industrial control systems (ICS).

Telecommunications: Regional telcos managing thousands of distributed endpoints across multiple countries are exposed to lateral movement attacks that could disrupt services affecting millions of subscribers.

Immediate Actions - Do These Now

• Identify all FortiClient EMS deployments in your environment immediately. Check both on-premises and cloud-hosted instances. Do not assume a vendor manages this for you - verify directly.
• Apply Fortinet's official patch without delay. Visit the Fortinet PSIRT advisory page for the patched version applicable to your EMS release. CISA directs all organizations to remediate KEV vulnerabilities as a priority.
• Audit access control configurations on your EMS server. Restrict administrative access to known IP ranges, enforce multi-factor authentication (MFA) on all admin accounts, and review user privilege assignments immediately.
• Review endpoint logs for anomalies. Look for unusual authentication attempts, unexpected configuration changes, or unauthorized device enrollments in your EMS dashboard going back at least 30 days. Treat any anomaly as a potential indicator of compromise (IOC).
• Segment and isolate EMS from the open internet. If your FortiClient EMS management interface is publicly accessible, take it offline or place it behind a VPN immediately while patching is completed.

DRONGO Recommendation

DRONGO's security operations team has deep expertise with Fortinet deployments across East African enterprise and government environments. If you are unsure whether your FortiClient EMS instance is exposed, misconfigured, or already compromised, our team can conduct an emergency vulnerability assessment and patch verification within 24 hours.

Is your organization protected? Request a free security assessment.