Fortinet FortiClient EMS is under active exploitation via two distinct critical vulnerabilities this period: CVE-2026-35616 (CVSS 9.8, improper access control, unauthenticated RCE, CISA KEV-listed, emergency hotfix issued April 4, 2026) and CVE-2026-21643 (CVSS 9.8, SQL injection, active real-world exploitation reported). Both vulnerabilities target the EMS management server interface and are exploitable without authentication. Organizations must apply Fortinet’s emergency hotfix for CVE-2026-35616 immediately (CISA federal deadline April 9, 2026), stage remediation for CVE-2026-21643 per the Fortinet PSIRT advisory, isolate EMS servers from untrusted networks, and treat any EMS host with confirmed exploitation as compromised pending forensic review. Note: three source items cover CVE-2026-35616 with varying detail levels; the dedicated CVE item (priority 0.85, CISA KEV confirmed) should be treated as the authoritative record for this CVE.