The CISA Deadline for CVE-2026-35616 Was 12 Days Ago. Four Weaponized Exploits Are on GitHub Right Now.

CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog on April 6th. The federal remediation deadline was April 9th. That was twelve days ago.

There are now four independent weaponized proof-of-concept exploits on GitHub. The newest one dropped yesterday.

CVE-2026-35616 is an improper access control vulnerability in Fortinet FortiClient EMS. The exploit bypasses the API certificate chain validation, allowing an unauthenticated attacker to forge certificates and access the FortiClient EMS management API. From there it is game over — full control of every endpoint managed by that EMS instance.

The four repos:

wa6n3r/CVE-2026-35616 — dropped April 20, 2026. Full Python exploit. 12KB. Uses the cryptography library to generate forged certificate chains against FortiClient EMS APIs. Zero stars because it is brand new. The code is clean, functional, and ready to copy-paste.

0xBlackash/CVE-2026-35616 — earlier release. Already in our IOC index.

keraattin/CVE-2026-35616 — Turkish researcher. Already indexed.

Alaatk/CVE-2026-35616 — already indexed.

We have 2,007 IOCs mapped to this CVE across our index. The exploit harvester caught wa6n3r's repo within hours of publication.

This is the second Fortinet FortiClient EMS CVE in KEV this month. CVE-2026-21643 was added April 13th with a deadline of April 16th. We wrote about that one too. Same product. Same attack surface. Different bug. Both actively exploited. Both past deadline.

Fortinet has been in KEV five times in the last six months. FortiClient EMS twice in April alone. FortiWeb in November. Multiple products in December and January. At some point you stop calling them zero-days and start calling them architecture.

If you run FortiClient EMS and you have not patched since April 6th, you are twelve days past the federal deadline with four public exploits available to anyone with a GitHub account and a Python interpreter. The cert chain bypass means your API authentication is not protecting you. The attacker does not need credentials. They forge the certificate.

Patch. Today. Not tomorrow. Not after change control. Today.

If you want to know the moment the next Fortinet exploit drops on GitHub, our harvester runs every six hours. It caught CVE-2026-37748 thirty-seven minutes after the POC appeared. It caught CVE-2026-35616's newest repo within hours. The IOCs, the repo metadata, and the CISA KEV cross-reference are all in the STIX feed.

2,007 indicators for this CVE alone. 1,089,889 total. 275+ consumers in 46 countries. Updated continuously.

analytics.dugganusa.com/stix/pricing

Code RESCUEME for 40% off this week.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com