U.S. CISA Adds Fortinet FortiClient EMS Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability in Fortinet FortiClient EMS, tracked as CVE-2026-35616 with a CVSS score of 9.1, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was addressed by Fortinet through out-of-band patches released this week. No specific exploitation details, affected versions, or attack vectors were disclosed in the notice. The inclusion in the KEV catalog indicates active exploitation or a significant risk to federal enterprises. The vulnerability pertains to Fortinet’s endpoint management solution, FortiClient EMS.