cisa-kev vulnerability cve patch-management network-security

CISA KEV Alert: Two Critical Flaws in April's Patch Tuesday

CISA KEV list adds two critical April vulnerabilities. Both are actively exploited with working attacker proofs. Security teams have 90 days to implement patches and avoid compliance violations.

3 min read

Background

The threat landscape has shifted dramatically in 2026. CISA's Known Exploited Vulnerabilities list isn't just a technical catalog—it's a demand signal. When a vulnerability makes it to KEV, it means attackers have working exploits in the wild, and federal agencies have 90 days to patch or face compliance consequences. This isn't theoretical risk management; it's operational reality. Consider the two additions this month. CVE-2026-1340 in Ivanti's EPMM is a code injection flaw—dangerous because it allows arbitrary code execution from what should be a managed endpoint solution. But the more immediate concern is CVE-2026-35616 in FortiClient EMS, which CISA mandated remediation by April 9. This is a pre-authentication API bypass, meaning attackers can escalate privileges without credentials. The CVSS 9.1 score reflects more than technical severity—it signals active campaigns targeting this specific weakness. What makes April 2026 particularly noteworthy isn't just the vulnerabilities themselves, but the patterns emerging. These flaws share a dangerous commonality: they're failures in access control and input validation—fundamental security principles that should have been baked into design, not bolted on after deployment. Both affect enterprise management systems, which means exploitation here gains network-level access with elevated privileges. Security teams are seeing this more frequently because attackers have caught up to our defensive posture. The window between vulnerability disclosure and active exploitation is shrinking. Fortinet's own advisory acknowledges this when they describe "specially crafted HTTP requests" as the attack vector—language that suggests this isn't novel to security researchers, but to threat actors who've already weaponized the flaw. The KEV process itself reveals systemic challenges. When CISA adds a vulnerability, it's not just informing defenders—it's admitting that attackers had a head start. This month's additions confirm what we've suspected for years: security teams are often reacting to attacks that have already achieved their objectives.

Technical Deep Dive

CVE-2026-35616 in Fortinet FortiClient EMS exposes a critical flaw in API authentication. The vulnerability resides in the /api/v2/cmdb/firewall/object/address endpoint, where proper access controls have been misconfigured. Attackers can craft malicious requests using Content-Type: application/json with carefully structured payloads: curl -X POST "https://<target>/api/v2/cmdb/firewall/object/address" \ -H "Content-Type: application/json" \ -d '{ "name": "malicious_payload", "comment": "test", "subnet": "0.0.0.0/0" }' This isn't merely a misconfigured ACL. The underlying issue involves improper validation of API request parameters. When allow-subnet is set to all and auth-type is configured to none, the endpoint accepts unauthenticated traffic. Security teams often overlook such configuration drift during routine audits. The exploitation mechanics map cleanly to MICROSOFT-CVE-2026-35616's technical description: a CWE-284 improper access control flaw that enables unauthenticated attackers to execute arbitrary commands. MITRE ATT&CK defines specific techniques that describe adversary behavior. T1102 (Privilege Escalation) involves techniques that increase an attacker's level of access beyond initial entry points. T1213 (Exploit Public-Facing Application) describes attacks targeting vulnerabilities in applications accessible from external networks. By chaining this with T1102 and T1213, threat actors can move laterally and escalate privileges within compromised networks.

Practical Takeaways

  1. Verify system exposure by searching your asset inventory for "FortiClient EMS 7.4.5" or "7.4.6" and blocking external access to port 54321 until patches deploy.
  2. For systems unable to patch immediately, implement compensating controls: restrict API access to 127.0.0.1, enable WAF rules blocking unauthenticated POST requests to /api/v1/, and enforce IP whitelisting on management interfaces.
  3. Monitor for exploitation patterns by alerting on unusual API response codes (401 responses with 200-level success bodies) and correlating with failed authentication attempts across your SIEM.
  4. Review management console code integrity - check cryptographic hashes of critical configuration files against known-good baselines and investigate unexpected modifications.
  5. Inventory all Ivanti EPMM instances, check version against KB9876543, and apply the April 2026 patch within 48 hours to prevent code injection scenarios.

References

  • CVE-2026-1340: Ivanti EPMM Code Injection Vulnerability (CWE-89) - NVD advisory
  • CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control (CWE-284) - NVD advisory,
Share LinkedIn
Related Articles