Fortinet FortiClient EMS Under Active Exploit — Patch Now, Deadline Tomorrow

CISA added two critical Fortinet FortiClient EMS vulnerabilities to the Known Exploited Vulnerabilities catalog on 13 April, and one of them is confirmed exploited in the wild with a remediation deadline of 16 April. If you run FortiClient EMS, this is not a drill.

CVE-2026-21643: SQL Injection Leads to Unauthenticated RCE

CVSS 9.8. Network-exploitable, no authentication required, no user interaction. Fortinet's own advisory confirms this vulnerability "has been observed to be exploited in the wild." A public exploit is available on GitHub. The affected version is FortiClientEMS 7.4.4, and the fix is upgrade to 7.4.5 or above. The CISA deadline for remediation is 16 April, which is tomorrow.

SQL injection in an enterprise endpoint management platform is about as bad as it gets. An attacker who can reach the EMS server over HTTP can execute arbitrary commands without credentials. This is the kind of vulnerability that turns into ransomware access within hours of public exploit code appearing, and that code is already out there.

CVE-2026-35616: Improper Access Control, Also Unauthenticated RCE

CVSS 9.8. A second FortiClient EMS vulnerability affecting versions 7.4.5 and 7.4.6, also allowing unauthenticated remote code execution via crafted HTTP requests. This one was added to KEV on 6 April with a deadline of 9 April, which has already passed. If you upgraded to 7.4.5 to fix CVE-2026-21643, you may have walked into this one. The fix is 7.4.7, which Fortinet says is coming.

Yes, the patch for the first vulnerability introduced a second critical vulnerability. If you are on 7.4.5 or 7.4.6, you are currently exposed. Check your version immediately.

Ivanti EPMM CVE-2026-1340: Also Unauthenticated RCE, Deadline Passed

CISA also added Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1340 to KEV on 8 April with a 3-day deadline that expired on 11 April. CVSS 9.8, unauthenticated remote code execution, affecting versions up to and including 12.7.0.0. If you have Ivanti EPMM and have not patched yet, assume compromise.

So What

Three enterprise endpoint management products with CVSS 9.8 unauthenticated RCE and confirmed or likely exploitation, two from Fortinet and one from Ivanti. Endpoint management platforms are high-value targets because they give attackers administrative control over fleet devices from a single compromise point. The CISA 3-day deadlines on these tell you how urgent the government considers them.

Immediate actions: inventory all FortiClient EMS instances, confirm version, upgrade to 7.4.7 (or 7.4.5 minimum if 7.4.7 is not yet available). Check Ivanti EPMM patch status. If either product is internet-facing, consider pulling it behind a VPN until patched. Review logs for indicators of compromise. These are exactly the kind of vulnerabilities that nation-state and ransomware operators target first.