Jordan Polasek · Founder, BVTech LLC · April 12, 2026 · 8 min read
A short week, a bad one for anyone running edge-of-network appliances. Fortinet shipped an emergency hotfix for FortiClient Enterprise Management Server (EMS) over the weekend; CISA added it to the Known Exploited Vulnerabilities catalog by Monday and gave federal agencies until midnight Thursday to patch. A second critical flaw in Ivanti Endpoint Manager Mobile (EPMM) is following the same pattern.
If your business runs Fortinet FortiClient EMS or Ivanti EPMM, this is a stop-reading-and-go-patch week. Both products sit at the network edge, both are being actively exploited, and both will fall to an unauthenticated attacker if left unpatched. Hotfix paths are linked below.
Here is the breakdown of what hit CISA KEV this week and what Texas small businesses should do about it.
CISA KEV added: April 6, 2026 · Federal patch deadline: April 9, 2026 · CVSS: 9.1 (Critical)
FortiClient Enterprise Management Server is the central management plane for Fortinet endpoint deployments. CVE-2026-35616 is a pre-authentication API access bypass — an unauthenticated attacker can craft a specific HTTP request, skip the entire authentication and authorization stack, and execute code or commands directly on the EMS server.
This is exactly the kind of flaw that makes ransomware operators happy. EMS owns every endpoint it manages; compromising EMS gives an attacker a one-shot path to push commands to the entire endpoint fleet. Cybersecurity firm Defused discovered it; Fortinet shipped an emergency hotfix on Saturday April 4 and disclosed it confirmed exploitation in zero-day attacks.
How to remediate:
CISA KEV added: May 7, 2026 (telegraphed since April 9) · Severity: High
Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is the cousin of the Fortinet EMS — same product category, mobile device management, sits at the edge. CVE-2026-6973 is a remote code execution flaw reachable with administrator authentication. That sounds less scary than a pre-auth bypass, until you remember that mobile device management consoles are exactly the thing phishers love to target for credentials.
Shadowserver was tracking over 800 internet-exposed Ivanti EPMM instances at the time of disclosure. The majority are in Europe and North America. If yours is one of them, you have a deadline. Even though the formal CISA add came in May, the writing was on the wall in early April.
How to remediate:
Step back and look at the last six months. Citrix NetScaler (March 30). Fortinet FortiClient EMS (April 6). Ivanti EPMM (May 7). All three are edge appliances. All three protect the perimeter. All three are now KEV entries with active exploitation. Verizon's 2025 DBIR put edge-device-and-VPN initial-access at 22% of all breaches — up from 3% a year prior.
There is a reason for that. Edge boxes are exactly the things that EDR and SIEM do not cover. They run vendor firmware. They lack the telemetry that an endpoint protection platform takes for granted. When an attacker compromises one, you usually do not see it for weeks.
For the small Texas businesses I work with at BVTech, the practical takeaway is short: do not put admin consoles on the public internet, even if the vendor docs say it is supported. Put them behind a Cloudflare Access tunnel, a WireGuard VPN, or at the very least a source-IP allowlist. And patch within the window the federal deadline implies, not when you get around to it.
If you run Fortinet FortiClient EMS, Ivanti EPMM, or any other edge management appliance and you are not sure whether it is patched — call BVTech at (210) 538-3669. No sales pitch, no engagement contract required. I will help you check, free of charge.
Stay safe, Texas.
— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.
EN
ES